# Database Error Information Exposure in HTTP Response

- ID: go-error-message-exposure
- Severity: MEDIUM
- CWE: Error Message Information Leak (CWE-209)
- Languages: Go
- Frameworks: stdlib, gin, echo, fiber, chi, gorilla

## Description

Internal error messages or stack traces exposed to users in HTTP responses.

## Detection Message

Database error information or SQL query is exposed in HTTP response.

Found: {sink_code}

This can reveal:
- Database schema (table/column names)
- SQL query structure
- Technology stack details
- Internal error messages

Attackers use this to craft targeted SQL injection attacks.

## Remediation

Return generic error messages to users, log details server-side.

```go
if err != nil {
    log.Printf("internal error: %v", err) // Log details
    http.Error(w, "An error occurred", 500) // Generic response
    return
}
```

Learn more: https://shoulder.dev/learn/go/cwe-209/error-message-exposure

## Documentation

[object Object]

## Related Rules

- **Information Exposure Through Error Messages** [MEDIUM]: 
- **Error Message Information Disclosure** [MEDIUM]: 
- **Internal Path and IP Address Disclosure** [MEDIUM]: 
- **tRPC Error Information Disclosure** [MEDIUM]: