Create rule S6776: Stack-traces should not be disclosed (APPSEC-1130) (…

…#3087)
SonarSource · Nov 10, 2023 · 024f761 · 024f761
1 parent c0ea582
commit 024f761
Show file tree

Hide file tree

Showing 4 changed files with 110 additions and 0 deletions.
diff --git a/rules/S6776/metadata.json b/rules/S6776/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S6776/python/how-to-fix-it/flask.adoc b/rules/S6776/python/how-to-fix-it/flask.adoc
@@ -0,0 +1,26 @@
+== How to fix it in Flask
+
+Implement proper error handling by reporting customized error messages that do not contain a detailed stack trace. Log the exception stack trace if needed.
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,python,diff-id=1,diff-type=noncompliant]
+----
+@app.errorhandler(500)
+def internal_server_error(error):
+    error_message = traceback.format_stack()
+    return render_template('error.html', error_message=error_message), 500
+----
+
+==== Compliant solution
+
+[source,python,diff-id=1,diff-type=compliant]
+----
+@app.errorhandler(500)
+def internal_server_error(error):
+    error_message = "Internal Server Error"
+    logging.exception()
+    return render_template('error.html', error_message=error_message), 500
+----
diff --git a/rules/S6776/python/metadata.json b/rules/S6776/python/metadata.json
@@ -0,0 +1,45 @@
+{
+  "title": "Stack-traces should not be disclosed",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6776",
+  "sqKey": "S6776",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      489,
+      209
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "OWASP Top 10 2021": [
+      "A4"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "14.3.1",
+      "14.3.2"
+    ]
+  },
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "LOW"
+    },
+    "attribute": "COMPLETE"
+  }
+}
diff --git a/rules/S6776/python/rule.adoc b/rules/S6776/python/rule.adoc
@@ -0,0 +1,37 @@
+Exception stack traces contain sensitive data that the application's code should not disclose as error messages. 
+
+== Why is this an issue?
+
+Stack traces contain sensitive data like filenames or folder hierarchies. 
+They can expose implementation details, including the application's architecture, logic, and potential vulnerabilities. 
+Attackers can leverage these valuable insights to identify weaknesses, devise attack strategies, and exploit vulnerabilities.
+
+// How to fix it section
+
+include::how-to-fix-it/flask.adoc[]
+
+== Resources
+=== Documentation
+
+Python Documentation - https://docs.python.org/3/library/traceback.html[traceback — Print or retrieve a stack traceback]
+
+=== Standards
+
+* OWASP Top 10 - https://owasp.org/Top10/A04_2021-Insecure_Design/[A4:2021 Insecure Design]
+* OWASP Top 10 - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[A3:2017 Sensitive Data Exposure] 
+* MITRE - https://cwe.mitre.org/data/definitions/209[CWE-209: Generation of Error Message Containing Sensitive Information]
+* MITRE - https://cwe.mitre.org/data/definitions/489[CWE-489: Active Debug Code] 
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+Source: this invocation returns a stack trace.
+Sink: this invocation outputs sensitive content to the HTTP response.
+
+
+endif::env-github,rspecator-view[]