Minor changes to formulations for java/error-message-exposure

RobbingDaHood · aschackmull · web-flow · commit 1cb58922a273 · 2024-07-29T16:48:15.000+02:00
Co-authored-by: Anders Schack-Mulligen &lt;aschackmull@users.noreply.github.com&gt;
diff --git a/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.java b/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.java
@@ -12,7 +12,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) {
 	try {
 		doSomeWork();
 	} catch (NullPointerException ex) {
-		// GOOD: log the stack trace, and send back a non-revealing response
+		// GOOD: log the exception message, and send back a non-revealing response
 		log("Exception occurred", ex.getMessage);
 		response.sendError(
 			HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
diff --git a/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.qhelp b/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.qhelp
@@ -34,8 +34,5 @@ information.</p>
 <a href="https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information">ERR01-J.
 Do not allow exceptions to expose sensitive information</a>.</li>
 
-<li>
-  CWE-209: <a href="https://cwe.mitre.org/data/definitions/209.html">Information Exposure Through an Error Message</a>.
-</li>
 </references>
 </qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql b/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
@@ -1,6 +1,6 @@
 /**
- * @name Information exposure through a error message
- * @description Information from a error message propagates to an external user.
+ * @name Information exposure through an error message
+ * @description Information from an error message propagates to an external user.
  *              Error messages can unintentionally reveal implementation details
  *              that are useful to an attacker for developing a subsequent exploit.
  * @kind problem
diff --git a/java/ql/src/change-notes/2024-07-25-java-error-message-exposure.md b/java/ql/src/change-notes/2024-07-25-java-error-message-exposure.md
@@ -1,4 +1,4 @@
 ---
 category: minorAnalysis
 ---
-* Now alerts about exposing `exception.getMessage()` in servlet responses are split out of `java/stack-trace-exposure` into its own alert `java/error-message-exposure` because this is a better fit. 
+* Alerts about exposing `exception.getMessage()` in servlet responses are now split out of `java/stack-trace-exposure` into its own query `java/error-message-exposure`.
