Go

Go

Made by DeepSource

Stack trace exposure GO-S1002

Security
Major
cwe-209 a04 cwe-497 owasp top 10

Often stack traces are used as a debugging aid, i.e., whenever there is an error message for an end-user (or anything), the stack trace is used to find issues like runtime panics, etc. and fix them. In particular, stack traces can tell more about the sequence of events that led to a failure.

It is recommended not to write the stack trace to a user-facing HTTP response object as it can reveal the structure of the application and any internal components it relies on (and much more) to an attacker.

Bad practice

func do(w http.ResponseWriter, r *http.Request) {
    buf := make([]byte, 2<<16)
    buf = buf[:runtime.Stack(buf, true)]
    // NOTE: This is very dangerous as stack trace
    // is written to user facing HTTP response object.
    w.Write(buf)
}

Recommended

func do(w http.ResponseWriter, r *http.Request) {
    buf := make([]byte, 2<<16)
    buf = buf[:runtime.Stack(buf, true)]

    // NOTE: Much safer as it is just logging it and not sending
    // the traces to user facing HTTP response object.
    log.Printf("Panic: %s", buf)
    w.Write([]byte("error: unexpected runtime panic"))
}

References