DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Audit: Avoid exposing server-side errors to client JS-A1006

Security
Critical
 cwe-209 a04 cwe-497 a09 owasp top 10

An error thrown by code running in the server should never be exposed to a client. Error objects contain information like the state of the call stack, bugs in the server code, dependencies used by the server application, etc. An attacker can intentionally send requests that yield an error and get an idea about the server's code layout and possible vulnerabilities.

Bad Practice

import express from "express"

const app = express()

app.get("/user/:name", async (req, res) => {
  const name = req.params.name
  try {
    const userJson = await getUserFromDb(name)
    res.json(userJson)
  } catch(err) {
    res.status(404)
    // The user will know the depdendencies and layout of
    // the server's codebase.
    res.send(err)
    // Also harmful: res.send(err.stack), res.write(err.message) etc.
  }
})

Recommended

import express from "express"
const app = express()

app.get("/user/:name", async (req, res) => {
  const name = req.params.name
  try {
    const userJson = await getUserFromDb(name)
    res.json(userJson)
  } catch(err) {
    console.error(err) // for debugging from server logs.
    res.status(404)
    res.send("Internal server error.")
  }
})

References