Leakage of sensitive information in exception message

• Rule ID: ruby_rails_detailed_exceptions
• Languages: ruby
• Source: detailed_exceptions.yml

Description

Leakage of sensitive information in exception messages poses a significant security risk. When an exception message is printed to the default output, it might reveal sensitive details about your application's technical setup or environment. This could potentially open the door to attacks, such as path traversal. Even more concerning is the possibility of exposing user-specific data, which could lead to serious privacy breaches.

Remediations

• Do not configure your application to display detailed error messages for all errors.

  config.consider_all_requests_local = false # unsafe

• Do not implement show_detailed_exceptions? in controllers to return detailed errors.

  class MyController < ApplicationController
    def show_detailed_exceptions? # unsafe
      ...
    end
  end

Associated CWE

• CWE-209: Generation of Error Message Containing Sensitive Information

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_detailed_exceptions

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_detailed_exceptions