2
try {
    //code
} catch (ParseException e) {
    e.printStackTrace();
} catch (MalformedURLException e) {
    LOG.error("Error in finding Resource Bundle", e);
}

I wrote like that, but when I am using Checkmarx code analysis tool I am getting "Information Exposure Through an Error Message". How to resolve and when this we get.

Alex Gyoshev
  • 11,929
  • 4
  • 44
  • 74
Kalluri Narasimha
  • 41
  • 1
  • 1
  • 5

2 Answers2

2

What is Information Exposure Through an Error Message?

The software generates an error message that includes sensitive information about its environment, users, or associated data.

The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack.

(Quote taken from CWE-209: Information Exposure Through an Error Message )

You did not specify, but I'm assuming that the Checkmarx tool pointed to printStackTrace() as the problematic end point of the flow.

By using this method, an exception (including its entire stack trace) will be printed to the standard error stream. This might include information that may be sensitive by itself (like usernames or passwords) or at least disclose some environment data. If this data is exposed to a user, it can be abused or used maliciously for more effective attacks.

There are many others reasons not to use printStackTrace() that way, as can be seen here: Why is exception.printStackTrace() considered bad practice?

Community
  • 1
  • 1
yaloner
  • 715
  • 2
  • 6
  • 19
  • thanks for replay but i am not using any where printStackTrace(),i am using Logger.fatal method.how can i do... – Kalluri Narasimha Dec 26 '16 at 11:40
  • ` LOG.error("Error in finding Resource Bundle", e);` also generates checkmark for `Information Exposure` – Atul Sharma Dec 26 '16 at 12:07
  • 1
    @KalluriNarasimha You are using printStackTrace(), look at the code you supplied :) – yaloner Dec 26 '16 at 12:13
  • @atulquest93 Writing errors to log may generate a similar yet different result: `Information Exposure Through Server Log` – yaloner Dec 26 '16 at 12:21
  • @yaloner i was actually viewing the checkmark report while writing the answer. `Information Exposure Through an Error Message` this is the exact checkmark generated. May be different version may generate some specific checkmark. – Atul Sharma Dec 26 '16 at 12:25
0

First of all remove e.printStackTrace();.

Now, As its compulsory to log errors so, you can;t remove LOG.error("Error in finding Resource Bundle", e);.

So, just provide the closure for this .. that Logs are being generated. As this is LOW critical their is no big issue.

This happens every-time with our project too :P .

Atul Sharma
  • 9,397
  • 10
  • 38
  • 65