Leakage of sensitive information in exception message
- Rule ID: ruby_rails_detailed_exceptions
- Languages: ruby
- Source: detailed_exceptions.yml
Description
Leakage of sensitive information in exception messages poses a significant security risk. When an exception message is printed to the default output, it might reveal sensitive details about your application's technical setup or environment. This could potentially open the door to attacks, such as path traversal. Even more concerning is the possibility of exposing user-specific data, which could lead to serious privacy breaches.
Remediations
- Do not configure your application to display detailed error messages for all errors.
config.consider_all_requests_local = false # unsafe
- Do not implement
show_detailed_exceptions?
in controllers to return detailed errors.class MyController < ApplicationController
def show_detailed_exceptions? # unsafe
...
end
end
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_rails_detailed_exceptions
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_rails_detailed_exceptions