# Generation of Error Message Containing Sensitive Information (CWE-209)

The product generates an error message that includes sensitive information about its environment, users, or associated data.

**Stack:** Go

- Prevalence: 中 覆盖 3 种语言
- Impact: 中 建议审查
- Prevention: 已记录 5 个修复示例

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

The sensitive information may be valuable information on its own, or it may be useful for launching other, more serious attacks. The error message may be created in different ways, and the information that is included can range widely.

## Prevention

基于 1 条 Shoulder 检测规则的 Error Message Information Leak 预防策略。

### Go

Return generic error messages to clients; log detailed errors server-side

## Consequences

- 读取应用程序数据
- 读取文件或目录

## Mitigations

- 在内部处理异常,不向用户显示错误
- 为 404、500 等 HTTP 错误创建默认错误页
- 实现适当的错误处理,在服务器端记录详细错误,而向用户显示通用消息

## Detection

- Total rules: 5
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Database Error Information Exposure in HTTP Response** [MEDIUM]: Internal error messages or stack traces exposed to users in HTTP responses.
  - Remediation: Return generic error messages to users, log details server-side.

```go
if err != nil {
    log.Printf("internal error: %v", err) // Log details
    http.Error(w, "An error occurred", 500) // Generic response
    return
}
```

Learn more: https://shoulder.dev/learn/go/cwe-209/error-message-exposure