From 024f761667ca21b93fad2cc7eb70f878b2505dad Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 10 Nov 2023 13:12:28 +0100
Subject: [PATCH] Create rule S6776: Stack-traces should not be disclosed
 (APPSEC-1130) (#3087)

---
 rules/S6776/metadata.json                   |  2 +
 rules/S6776/python/how-to-fix-it/flask.adoc | 26 ++++++++++++
 rules/S6776/python/metadata.json            | 45 +++++++++++++++++++++
 rules/S6776/python/rule.adoc                | 37 +++++++++++++++++
 4 files changed, 110 insertions(+)
 create mode 100644 rules/S6776/metadata.json
 create mode 100644 rules/S6776/python/how-to-fix-it/flask.adoc
 create mode 100644 rules/S6776/python/metadata.json
 create mode 100644 rules/S6776/python/rule.adoc

diff --git a/rules/S6776/metadata.json b/rules/S6776/metadata.json
new file mode 100644
index 00000000000..2c63c085104
--- /dev/null
+++ b/rules/S6776/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S6776/python/how-to-fix-it/flask.adoc b/rules/S6776/python/how-to-fix-it/flask.adoc
new file mode 100644
index 00000000000..41c5ed62522
--- /dev/null
+++ b/rules/S6776/python/how-to-fix-it/flask.adoc
@@ -0,0 +1,26 @@
+== How to fix it in Flask
+
+Implement proper error handling by reporting customized error messages that do not contain a detailed stack trace. Log the exception stack trace if needed.
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,python,diff-id=1,diff-type=noncompliant]
+----
+@app.errorhandler(500)
+def internal_server_error(error):
+    error_message = traceback.format_stack()
+    return render_template('error.html', error_message=error_message), 500
+----
+
+==== Compliant solution
+
+[source,python,diff-id=1,diff-type=compliant]
+----
+@app.errorhandler(500)
+def internal_server_error(error):
+    error_message = "Internal Server Error"
+    logging.exception()
+    return render_template('error.html', error_message=error_message), 500
+----
diff --git a/rules/S6776/python/metadata.json b/rules/S6776/python/metadata.json
new file mode 100644
index 00000000000..65235e22938
--- /dev/null
+++ b/rules/S6776/python/metadata.json
@@ -0,0 +1,45 @@
+{
+  "title": "Stack-traces should not be disclosed",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6776",
+  "sqKey": "S6776",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      489,
+      209
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "OWASP Top 10 2021": [
+      "A4"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "14.3.1",
+      "14.3.2"
+    ]
+  },
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "LOW"
+    },
+    "attribute": "COMPLETE"
+  }
+}
diff --git a/rules/S6776/python/rule.adoc b/rules/S6776/python/rule.adoc
new file mode 100644
index 00000000000..9c89e5b88ae
--- /dev/null
+++ b/rules/S6776/python/rule.adoc
@@ -0,0 +1,37 @@
+Exception stack traces contain sensitive data that the application's code should not disclose as error messages. 
+
+== Why is this an issue?
+
+Stack traces contain sensitive data like filenames or folder hierarchies. 
+They can expose implementation details, including the application's architecture, logic, and potential vulnerabilities. 
+Attackers can leverage these valuable insights to identify weaknesses, devise attack strategies, and exploit vulnerabilities.
+
+// How to fix it section
+
+include::how-to-fix-it/flask.adoc[]
+
+== Resources
+=== Documentation
+
+Python Documentation - https://docs.python.org/3/library/traceback.html[traceback — Print or retrieve a stack traceback]
+
+=== Standards
+
+* OWASP Top 10 - https://owasp.org/Top10/A04_2021-Insecure_Design/[A4:2021 Insecure Design]
+* OWASP Top 10 - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[A3:2017 Sensitive Data Exposure] 
+* MITRE - https://cwe.mitre.org/data/definitions/209[CWE-209: Generation of Error Message Containing Sensitive Information]
+* MITRE - https://cwe.mitre.org/data/definitions/489[CWE-489: Active Debug Code] 
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+Source: this invocation returns a stack trace.
+Sink: this invocation outputs sensitive content to the HTTP response.
+
+
+endif::env-github,rspecator-view[]