Identify cases where exception messages are printed to users

[ThomasOwens]

Cases where an exception message is directly displayed to the user could leak additional information about the implementation of the system. It doesn't look like brakeman currently warns about doing things like flashing the contents of the exception message to users.

Something to consider would be that logging the message to a server-side log file may be OK, so it may not be as simple as finding times when the message method is called.

[presidentbeef]

Hi Thomas,

Thank you for the suggestion.

Do you have any examples of code that you'd want to detect?

[ThomasOwens]

I don't have anything from production handy at the moment, but here's an example from Stack Overflow:

class ApplicationController < ActionController::Base

  rescue_from Exception, :with => :handle_exception

  def handle_exception
    flash[:error] = error.message
    redirect_to request.referer || root_path
  end
end

If you just display flash[:error] to a user in a view, you risk exposing details of exceptions. Things displayed to a user shouldn't reveal implementation details. Message that you display to a user should be more meaningful. I would expect some possible false positives regarding logging error.message, but I'd rather ignore these false positives and ensure good error output that doesn't risk revealing implementation details.