-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathExceptionInformationExposure.cs
More file actions
72 lines (63 loc) · 1.77 KB
/
ExceptionInformationExposure.cs
File metadata and controls
72 lines (63 loc) · 1.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
//semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
using System;
using System.Web;
public class StackTraceHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
try
{
doSomeWork();
}
catch (Exception ex)
{
// BAD: printing a stack trace back to the response
ctx.Response.Write(ex.ToString());
// BAD: implicitly printing a stack trace back to the response
ctx.Response.Write(ex);
// BAD: writing StackTrace property to response
ctx.Response.Write(ex.StackTrace);
// GOOD: writing Message property to response
ctx.Response.Write(ex.Message);
return;
}
try
{
doSomeWork();
}
catch (Exception ex)
{
// GOOD: log the stack trace, and send back a non-revealing response
log("Exception occurred", ex);
ctx.Response.Write("Exception occurred");
return;
}
// BAD: printing a stack trace back to the response for a custom exception
ctx.Response.Write(new MyException().ToString());
}
class MyException : Exception
{
private Exception nested;
string ToString()
{
// IGNORED - the outer ToString() should be reported, not this nested call
return nested.ToString();
}
}
// Method that may throw an exception
public void doSomeWork()
{
throw new Exception();
}
public void log(string s, Exception e)
{
// logging stub
}
public bool IsReusable
{
get
{
return true;
}
}
}