Skip to content

Add yaml checker for exposed stacktrace#55

Closed
utkarsh181 wants to merge 2 commits intoDeepSourceCorp:masterfrom
utkarsh181:master
Closed

Add yaml checker for exposed stacktrace#55
utkarsh181 wants to merge 2 commits intoDeepSourceCorp:masterfrom
utkarsh181:master

Conversation

@utkarsh181
Copy link

@utkarsh181 utkarsh181 commented Feb 22, 2025

Summary: Stack Trace Exposure Checker

This checker detects instances where raw stack traces generated by traceback.format_stack(), traceback.format_exc(), or traceback.format_tb() are directly returned in HTTP responses via JsonResponse or HttpResponse. Exposing stack traces can reveal sensitive information, such as file paths, internal logic, and application structure, increasing the risk of exploitation.

Security Impact (OWASP A04:2021 – Insecure Design)

Improper error handling is a key aspect of Insecure Design, as highlighted in OWASP A04:2021. Returning raw stack traces compromises security by leaking implementation details, which attackers can analyze to identify vulnerabilities and craft targeted exploits. Instead of exposing stack traces, applications should log errors securely using the logging module and return generic error messages to users.

Remediation

  • Log, Don’t Expose → Use structured logging (logging.exception(), logging.error()) instead of returning stack traces in responses.
  • Sanitize Responses → Return user-friendly error messages without revealing internal details.
  • Use Proper Error Handling → Implement exception handling frameworks or middleware to manage errors securely.

@vercel
Copy link

vercel bot commented Feb 22, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
globstar ⬜️ Ignored (Inspect) Visit Preview Feb 24, 2025 3:37am

@utkarsh181
Copy link
Author

utkarsh181 commented Feb 22, 2025

Hi @sourya-deepsource!

Can you please help me debug it?

sanket-deepsource
sanket-deepsource requested changes Feb 22, 2025
View reviewed changes
@utkarsh181
Copy link
Author

utkarsh181 commented Feb 24, 2025
edited
Loading

Hi!

I have fixed the checker and added a test case.

However, as @srijan-paul mentioned:

I didn't run it locally but something like this is better off with the Go API. There can be multiple levels of control flow and indirection separating the stack trace and log.

For example, we cannot match cases like:

def debug_view(request):
    error_trace = traceback.format_exc()
    error_trace = "Internal Server Error"
    return HttpResponse(error_trace, content_type="text/plain", status=500)

Or handle exceptions such as:

def hello_world(request):
    try:
        name = request.GET["name"]
        if not name.strip():
            raise ValueError("Name cannot be empty.")
    except KeyError:
        return JsonResponse({"error": "Missing 'name' parameter."}, status=400)
    except ValueError as e:
        tb = traceback.format_tb(e.__traceback__)
        return JsonResponse(tb, status=400)

    return HttpResponse(f"Hello, {name}!")

I will look into the Go API once it stable and as I become more familiar with Go.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourya-deepsource sourya-deepsource sourya-deepsource left review comments

@sanket-deepsource sanket-deepsource sanket-deepsource requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@utkarsh181 @sanket-deepsource @sourya-deepsource