diff --git a/rules/S6776/metadata.json b/rules/S6776/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S6776/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6776/python/how-to-fix-it/flask.adoc b/rules/S6776/python/how-to-fix-it/flask.adoc new file mode 100644 index 00000000000..41c5ed62522 --- /dev/null +++ b/rules/S6776/python/how-to-fix-it/flask.adoc @@ -0,0 +1,26 @@ +== How to fix it in Flask + +Implement proper error handling by reporting customized error messages that do not contain a detailed stack trace. Log the exception stack trace if needed. + +=== Code examples + +==== Noncompliant code example + +[source,python,diff-id=1,diff-type=noncompliant] +---- +@app.errorhandler(500) +def internal_server_error(error): + error_message = traceback.format_stack() + return render_template('error.html', error_message=error_message), 500 +---- + +==== Compliant solution + +[source,python,diff-id=1,diff-type=compliant] +---- +@app.errorhandler(500) +def internal_server_error(error): + error_message = "Internal Server Error" + logging.exception() + return render_template('error.html', error_message=error_message), 500 +---- diff --git a/rules/S6776/python/metadata.json b/rules/S6776/python/metadata.json new file mode 100644 index 00000000000..65235e22938 --- /dev/null +++ b/rules/S6776/python/metadata.json @@ -0,0 +1,45 @@ +{ + "title": "Stack-traces should not be disclosed", + "type": "VULNERABILITY", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6776", + "sqKey": "S6776", + "scope": "All", + "securityStandards": { + "CWE": [ + 489, + 209 + ], + "OWASP": [ + "A3" + ], + "OWASP Top 10 2021": [ + "A4" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "14.3.1", + "14.3.2" + ] + }, + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "unknown", + "code": { + "impacts": { + "SECURITY": "LOW" + }, + "attribute": "COMPLETE" + } +} diff --git a/rules/S6776/python/rule.adoc b/rules/S6776/python/rule.adoc new file mode 100644 index 00000000000..9c89e5b88ae --- /dev/null +++ b/rules/S6776/python/rule.adoc @@ -0,0 +1,37 @@ +Exception stack traces contain sensitive data that the application's code should not disclose as error messages. + +== Why is this an issue? + +Stack traces contain sensitive data like filenames or folder hierarchies. +They can expose implementation details, including the application's architecture, logic, and potential vulnerabilities. +Attackers can leverage these valuable insights to identify weaknesses, devise attack strategies, and exploit vulnerabilities. + +// How to fix it section + +include::how-to-fix-it/flask.adoc[] + +== Resources +=== Documentation + +Python Documentation - https://docs.python.org/3/library/traceback.html[traceback — Print or retrieve a stack traceback] + +=== Standards + +* OWASP Top 10 - https://owasp.org/Top10/A04_2021-Insecure_Design/[A4:2021 Insecure Design] +* OWASP Top 10 - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[A3:2017 Sensitive Data Exposure] +* MITRE - https://cwe.mitre.org/data/definitions/209[CWE-209: Generation of Error Message Containing Sensitive Information] +* MITRE - https://cwe.mitre.org/data/definitions/489[CWE-489: Active Debug Code] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +=== Message + +Source: this invocation returns a stack trace. +Sink: this invocation outputs sensitive content to the HTTP response. + + +endif::env-github,rspecator-view[]