Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ruby: add stack-trace exposure query #11250

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

nickrolfe
Copy link
Contributor

@nickrolfe nickrolfe commented Nov 14, 2022

This gives us coverage of CWE-209.

It's a fairly direct port of the Python version of this query:

  • Sources are calls to backtrace on exception variables, and calls to Kernel#caller.
  • Sinks are bodies of HTTP responses.

One obvious idea for improving the query would be to define a sink for expressions inside <%= ... %> tags in view templates. Do we have a succinct way of expressing that, e.g. a concept?

@github-actions
Copy link
Contributor

github-actions bot commented Nov 14, 2022

QHelp previews:

ruby/ql/src/queries/security/cwe-209/StackTraceExposure.qhelp

Information exposure through an exception

Software developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.

Unfortunately, the same information can be useful to an attacker. The sequence of class or method names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.

Recommendation

Send the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.

Example

In the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is exposted to the remote user by rendering it as an HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server, and a generic error message is displayed to the user. That way, the developers can still access and use the error log, but remote users will not see the information.

class UsersController < ApplicationController

  def update_bad(id)
    do_computation()
  rescue => e
    # BAD
    render e.backtrace, content_type: "text/plain"
  end

  def update_good(id)
    do_computation()
  rescue => e
    # GOOD
    log e.backtrace
    redner "Computation failed", content_type: "text/plain"
  end

end

References

from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ may be exposed to an external user", source.getNode(),
"Error information"

Check warning

Code scanning / CodeQL

Consistent alert message Warning

The rb/stack-trace-exposure query does not have the same alert message as go, js, py.
Copy link
Contributor Author

@nickrolfe nickrolfe Nov 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, but it now has the same alert message as Java.

@nickrolfe nickrolfe force-pushed the nickrolfe/stack-trace-exposure branch from 2a35af3 to c660ea1 Compare Nov 14, 2022
@nickrolfe nickrolfe marked this pull request as ready for review Nov 14, 2022
@nickrolfe nickrolfe requested a review from a team as a code owner Nov 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant