Skip to content

Commit 1c407a2

Browse files
nickrolfehmac
andcommitted
Apply suggestions from code review
Co-authored-by: Harry Maclean <[email protected]>
1 parent c660ea1 commit 1c407a2

File tree

4 files changed

+11
-11
lines changed

4 files changed

+11
-11
lines changed

ruby/ql/src/queries/security/cwe-209/StackTraceExposure.qhelp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ Either suppress the stack trace entirely, or log it only on the server.
3333
<example>
3434
<p>
3535
In the following example, an exception is handled in two different ways. In the
36-
first version, labeled BAD, the exception is exposted to the remote user by
36+
first version, labeled BAD, the exception is exposed to the remote user by
3737
rendering it as an HTTP response. As such, the user is able to see a detailed
3838
stack trace, which may contain sensitive information. In the second version, the
3939
error message is logged only on the server, and a generic error message is

ruby/ql/src/queries/security/cwe-209/examples/StackTraceExposure.rb

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,15 @@ def update_bad(id)
44
do_computation()
55
rescue => e
66
# BAD
7-
render e.backtrace, content_type: "text/plain"
7+
render body: e.backtrace, content_type: "text/plain"
88
end
99

1010
def update_good(id)
1111
do_computation()
1212
rescue => e
1313
# GOOD
14-
log e.backtrace
15-
redner "Computation failed", content_type: "text/plain"
14+
logger.error e.backtrace
15+
render body: "Computation failed", content_type: "text/plain"
1616
end
1717

1818
end
Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
edges
2-
| StackTraceExposure.rb:11:10:11:17 | call to caller : | StackTraceExposure.rb:12:12:12:13 | bt |
2+
| StackTraceExposure.rb:11:10:11:17 | call to caller : | StackTraceExposure.rb:12:18:12:19 | bt |
33
nodes
4-
| StackTraceExposure.rb:6:12:6:22 | call to backtrace | semmle.label | call to backtrace |
4+
| StackTraceExposure.rb:6:18:6:28 | call to backtrace | semmle.label | call to backtrace |
55
| StackTraceExposure.rb:11:10:11:17 | call to caller : | semmle.label | call to caller : |
6-
| StackTraceExposure.rb:12:12:12:13 | bt | semmle.label | bt |
6+
| StackTraceExposure.rb:12:18:12:19 | bt | semmle.label | bt |
77
subpaths
88
#select
9-
| StackTraceExposure.rb:6:12:6:22 | call to backtrace | StackTraceExposure.rb:6:12:6:22 | call to backtrace | StackTraceExposure.rb:6:12:6:22 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:6:12:6:22 | call to backtrace | Error information |
10-
| StackTraceExposure.rb:12:12:12:13 | bt | StackTraceExposure.rb:11:10:11:17 | call to caller : | StackTraceExposure.rb:12:12:12:13 | bt | $@ can be exposed to an external user. | StackTraceExposure.rb:11:10:11:17 | call to caller | Error information |
9+
| StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:6:18:6:28 | call to backtrace | Error information |
10+
| StackTraceExposure.rb:12:18:12:19 | bt | StackTraceExposure.rb:11:10:11:17 | call to caller : | StackTraceExposure.rb:12:18:12:19 | bt | $@ can be exposed to an external user. | StackTraceExposure.rb:11:10:11:17 | call to caller | Error information |

ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,13 +3,13 @@ class FooController < ApplicationController
33
def show
44
something_that_might_fail()
55
rescue => e
6-
render e.backtrace, content_type: "text/plain"
6+
render body: e.backtrace, content_type: "text/plain"
77
end
88

99

1010
def show2
1111
bt = caller()
12-
render bt, content_type: "text/plain"
12+
render body: bt, content_type: "text/plain"
1313
end
1414

1515
end

0 commit comments

Comments
 (0)