JavaScript

JavaScript

By DeepSource

Audit: Avoid exposing server-side errors to client JS-A1006

Security cwe-209 a04 cwe-497 a09 owasp top 10

An error thrown by code running in the server should never be exposed to a client. Error objects contain information like the state of the call stack, bugs in the server code, dependencies used by the server application, etc. An attacker can intentionally send requests that yield an error and get an idea about the server's code layout and possible vulnerabilities.

Bad Practice

import express from "express"

const app = express()

app.get("/user/:name", async (req, res) => {
  const name = req.params.name
  try {
    const userJson = await getUserFromDb(name)
    res.json(userJson)
  } catch(err) {
    res.status(404)
    // The user will know the depdendencies and layout of
    // the server's codebase.
    res.send(err)
    // Also harmful: res.send(err.stack), res.write(err.message) etc.
  }
})

Recommended

import express from "express"
const app = express()

app.get("/user/:name", async (req, res) => {
  const name = req.params.name
  try {
    const userJson = await getUserFromDb(name)
    res.json(userJson)
  } catch(err) {
    console.error(err) // for debugging from server logs.
    res.status(404)
    res.send("Internal server error.")
  }
})

References