-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Information exposure alert on intentional input validation exception #16845
-
Is it possible to throw an exception on user input validation failure, and use the Exception.getMessage() to pass this onto the user, while allowing CodeQL scan to pass? I'm referring to a Java project. It appears a level of indirection is required such that Exception.getMessage() cannot be used. This appears to be a false positive though. I have a generic "InvalidInputException" that my validation method throws when it finds a user supplied parameter that is invalid. I'm not revealing any stack trace at all, just using the Exception.getMessage() method to carry a message to the user.
CodeQL is saying:
Information exposure through a stack trace
Using Exception.getMessage() to carry a message actually intended for the user isn't even a stack trace. At a minimum this should be filed under something like "Information exposure through an Exception". Seems like user input validation cannot easily use an Exception to perform notification of validation failure. Bug or feature?
Beta Was this translation helpful? Give feedback.
All reactions
Thanks at lot for the example. This indeed seems to be a false positive, as the stack trace is never output to the user.
Resolving false positives is not a current product priority, but I hereby acknowledge the report. If you would like us to track this properly, please open an issue. This will allow us to track this internally for future consideration, or if we observe repeated instances of the same problem.
Replies: 1 comment 7 replies
-
Hi @slominskir,
Thanks for you question. At first reading this does look like a false positive. However, from what you're writing it's not completely clear to me what your code is doing. Would it be possible for you to provide a more complete example?
Beta Was this translation helpful? Give feedback.
All reactions
-
Here is a working example: https://github.com/slominskir/codeql-16845.
Beta Was this translation helpful? Give feedback.
All reactions
-
Thanks at lot for the example. This indeed seems to be a false positive, as the stack trace is never output to the user.
Resolving false positives is not a current product priority, but I hereby acknowledge the report. If you would like us to track this properly, please open an issue. This will allow us to track this internally for future consideration, or if we observe repeated instances of the same problem.
Beta Was this translation helpful? Give feedback.
All reactions
-
Beta Was this translation helpful? Give feedback.
All reactions
-
Thanks. I'll just acknowledge on issue. I don't expect this to be solved soon, unless we receive more reports.
Beta Was this translation helpful? Give feedback.
All reactions
-
Is there any way to provide hints to CodeQL? Perhaps via Java annotations? Or a config file? Might be able to simply hint that Exception.getMessage() is intended for user consumption in specific cases. The workaround I'm using right now is to add a differently named getUserMessage method to the Exception class:
I simply flipped the Enable CodeQL switch in GitHub and accepted all defaults. Looks like there might be some customization, though nothing is jumping out on a brief glance at the docs.
Beta Was this translation helpful? Give feedback.
All reactions
-
If you're working with GitHub actions then there's:
- https://github.com/advanced-security/filter-sarif , or
- https://github.com/advanced-security/dismiss-alerts
If you're running things locally, then the scripts embedded in those actions might give you some ideas of how to do some filtering yourself. If you're running inside VSCode, there's unfortunately not much we can do, except fix the query.
Beta Was this translation helpful? Give feedback.