Merge pull request #17075 from RobbingDaHood/17052-second-try-do-not-expose-error-message

Java: 17052 Second try: do not expose error message

Author: aschackmull

java/ql/lib/semmle/code/java/dataflow/ApiSources.qll

@@ -19,5 +19,6 @@ private module AllApiSources {
   private import semmle.code.java.security.InsecureTrustManager
   private import semmle.code.java.security.JWT
   private import semmle.code.java.security.StackTraceExposureQuery
+  private import semmle.code.java.security.SensitiveDataExposureThroughErrorMessageQuery
   private import semmle.code.java.security.ZipSlipQuery
 }

java/ql/lib/semmle/code/java/security/SensitiveDataExposureThroughErrorMessageQuery.qll

@@ -0,0 +1,34 @@
+/** Provides predicates to reason about exposure of error messages. */
+
+import java
+private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.InformationLeak
+
+/**
+ * A get message source node.
+ */
+private class GetMessageFlowSource extends ApiSourceNode {
+  GetMessageFlowSource() {
+    exists(Method method | this.asExpr().(MethodCall).getMethod() = method |
+      method.hasName("getMessage") and
+      method.hasNoParameters() and
+      method.getDeclaringType().hasQualifiedName("java.lang", "Throwable")
+    )
+  }
+}
+
+private module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof GetMessageFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
+}
+
+private module GetMessageFlowSourceToHttpResponseSinkFlow =
+  TaintTracking::Global<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
+
+/**
+ * Holds if there is a call to `getMessage()` that then flows to a servlet response.
+ */
+predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
+  GetMessageFlowSourceToHttpResponseSinkFlow::flow(getMessage, externalExpr)
+}

java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll

@@ -93,32 +93,3 @@ predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stac
     StackTraceStringToHttpResponseSinkFlow::flow(DataFlow::exprNode(stackTraceString), externalExpr)
   )
 }
-
-/**
- * A get message source node.
- */
-private class GetMessageFlowSource extends ApiSourceNode {
-  GetMessageFlowSource() {
-    exists(Method method | this.asExpr().(MethodCall).getMethod() = method |
-      method.hasName("getMessage") and
-      method.hasNoParameters() and
-      method.getDeclaringType().hasQualifiedName("java.lang", "Throwable")
-    )
-  }
-}
-
-private module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof GetMessageFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
-}
-
-private module GetMessageFlowSourceToHttpResponseSinkFlow =
-  TaintTracking::Global<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
-
-/**
- * Holds if there is a call to `getMessage()` that then flows to a servlet response.
- */
-predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
-  GetMessageFlowSourceToHttpResponseSinkFlow::flow(getMessage, externalExpr)
-}

java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.java

@@ -0,0 +1,22 @@
+protected void doGet(HttpServletRequest request, HttpServletResponse response) {
+	try {
+		doSomeWork();
+	} catch (NullPointerException ex) {
+		// BAD: printing a exception message back to the response
+		response.sendError(
+			HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+			ex.getMessage());
+		return;
+	}
+
+	try {
+		doSomeWork();
+	} catch (NullPointerException ex) {
+		// GOOD: log the exception message, and send back a non-revealing response
+		log("Exception occurred", ex.getMessage);
+		response.sendError(
+			HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+			"Exception occurred");
+		return;
+	}
+}

java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.qhelp

@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The error message at the top of a stack trace can include
+information such as server-side file names and SQL code that the
+application relies on, allowing an attacker to fine-tune a subsequent
+injection attack.</p>
+</overview>
+
+<recommendation>
+<p>Send the user a more generic error message that reveals less information.
+Either suppress the error message entirely, or log it only on the server.</p>
+</recommendation>
+
+<example>
+<p>In the following example, an exception is handled in two different
+ways. In the first version, labeled BAD, the exception is sent back to
+the remote user using the <code>getMessage()</code> method. As such,
+the user is able to see a detailed error message, which may contain
+sensitive information. In the second version, the error message is
+logged only on the server. That way, the developers can still access
+and use the error log, but remote users will not see the
+information.</p>
+
+<sample src="SensitiveDataExposureThroughErrorMessage.java" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://owasp.org/www-community/Improper_Error_Handling">Improper Error Handling</a>.</li>
+
+<li>CERT Java Coding Standard:
+<a href="https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information">ERR01-J.
+Do not allow exceptions to expose sensitive information</a>.</li>
+
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Information exposure through an error message
+ * @description Information from an error message propagates to an external user.
+ *              Error messages can unintentionally reveal implementation details
+ *              that are useful to an attacker for developing a subsequent exploit.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 5.4
+ * @precision high
+ * @id java/error-message-exposure
+ * @tags security
+ *       external/cwe/cwe-209
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.SensitiveDataExposureThroughErrorMessageQuery
+
+from Expr externalExpr, Expr errorInformation
+where
+  getMessageFlowsExternally(DataFlow::exprNode(externalExpr), DataFlow::exprNode(errorInformation))
+select externalExpr, "$@ can be exposed to an external user.", errorInformation, "Error information"

java/ql/src/Security/CWE/CWE-209/StackTraceExposure.qhelp

@@ -12,11 +12,7 @@ final state of the software when the error occurred.</p>
 
 <p>Unfortunately, the same information can be useful to an attacker.
 The sequence of class names in a stack trace can reveal the structure
-of the application as well as any internal components it relies on.
-Furthermore, the error message at the top of a stack trace can include
-information such as server-side file names and SQL code that the
-application relies on, allowing an attacker to fine-tune a subsequent
-injection attack.</p>
+of the application as well as any internal components it relies on.</p>
 </overview>
 
 <recommendation>

java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql

@@ -20,6 +20,5 @@ import semmle.code.java.security.StackTraceExposureQuery
 from Expr externalExpr, Expr errorInformation
 where
   printsStackExternally(externalExpr, errorInformation) or
-  stringifiedStackFlowsExternally(DataFlow::exprNode(externalExpr), errorInformation) or
-  getMessageFlowsExternally(DataFlow::exprNode(externalExpr), DataFlow::exprNode(errorInformation))
+  stringifiedStackFlowsExternally(DataFlow::exprNode(externalExpr), errorInformation)
 select externalExpr, "$@ can be exposed to an external user.", errorInformation, "Error information"

java/ql/src/change-notes/2024-07-25-java-error-message-exposure.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Alerts about exposing `exception.getMessage()` in servlet responses are now split out of `java/stack-trace-exposure` into its own query `java/error-message-exposure`.

java/ql/test/query-tests/security/CWE-209/semmle/tests/SensitiveDataExposureThroughErrorMessage.expected

@@ -0,0 +1 @@
+| Test.java:55:5:55:19 | getMessage(...) | $@ can be exposed to an external user. | Test.java:55:5:55:19 | getMessage(...) | Error information |