Information Exposure Through an Error Message

cherrycharan · March 1, 2025, 5:41am

Received a security issue on frappe when opened

https:///_test/problematic_page
https:///_test/_test_safe_render_on

Getting below error, which is discolsing sensitive information

Traceback (most recent call last):
  File "apps/frappe/frappe/utils/jinja.py", line 97, in render_template
    return get_jenv().from_string(template).render(context)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "env/lib/python3.11/site-packages/jinja2/environment.py", line 1111, in from_string
    return cls.from_code(self, self.compile(source), gs, None)
                               ^^^^^^^^^^^^^^^^^^^^
  File "env/lib/python3.11/site-packages/jinja2/environment.py", line 771, in compile
    self.handle_exception(source=source_hint)
  File "env/lib/python3.11/site-packages/jinja2/environment.py", line 942, in handle_exception
    raise rewrite_traceback_stack(source=source)
  File "<unknown>", line 1, in template
jinja2.exceptions.TemplateSyntaxError: Encountered unknown tag 'raise'.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "apps/frappe/frappe/website/serve.py", line 20, in get_response
    response = renderer_instance.render()
               ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "apps/frappe/frappe/website/page_renderers/template_page.py", line 84, in render
    html = self.get_html()
           ^^^^^^^^^^^^^^^
  File "apps/frappe/frappe/website/utils.py", line 531, in cache_html_decorator
    html = func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "apps/frappe/frappe/website/page_renderers/template_page.py", line 101, in get_html
    html = self.render_template()
           ^^^^^^^^^^^^^^^^^^^^^^
  File "apps/frappe/frappe/website/page_renderers/template_page.py", line 236, in render_template
    html = frappe.render_template(self.source, self.context, safe_render=safe_render)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "apps/frappe/frappe/utils/jinja.py", line 99, in render_template
    throw(
  File "apps/frappe/frappe/__init__.py", line 603, in throw
    msgprint(
  File "apps/frappe/frappe/__init__.py", line 568, in msgprint
    _raise_exception()
  File "apps/frappe/frappe/__init__.py", line 519, in _raise_exception
    raise exc
frappe.exceptions.ValidationError: <pre>{% raise %}
</pre><pre>Traceback (most recent call last):
  File "apps/frappe/frappe/utils/jinja.py", line 97, in render_template
    return get_jenv().from_string(template).render(context)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "env/lib/python3.11/site-packages/jinja2/environment.py", line 1111, in from_string
    return cls.from_code(self, self.compile(source), gs, None)
                               ^^^^^^^^^^^^^^^^^^^^
  File "env/lib/python3.11/site-packages/jinja2/environment.py", line 771, in compile
    self.handle_exception(source=source_hint)
  File "env/lib/python3.11/site-packages/jinja2/environment.py", line 942, in handle_exception
    raise rewrite_traceback_stack(source=source)
  File "<unknown>", line 1, in template
jinja2.exceptions.TemplateSyntaxError: Encountered unknown tag 'raise'.
</pre>

Ref link : CWE - CWE-209: Generation of Error Message Containing Sensitive Information (4.16)

How to fix this

peterg · March 1, 2025, 6:07am

Can you clarify what information is being leaked here?

cherrycharan · March 1, 2025, 10:32am

From my understanding, there is no sensitive information. But we got this issue flagged by a security researcher, I got struck on what to respond to reported person.

peterg · March 1, 2025, 10:45am

I’d respond by asking why a stack trace in an open source project is being flagged by a security researcher as sensitive information

That said, I can understand why an organization might not want these kinds of errors visible on their public webpage. It should be possible to add custom, less verbose pages for HTTP server errors like this.

revant_one · March 1, 2025, 11:06am

In production systems un-check the System Settings > Advanced Tab > “Show Full Error and Allow Reporting of Issues to the Developer” check box and retry if it still exposes the information.

cherrycharan · March 1, 2025, 3:12pm

Thanks @revant_one , This worked

Peer · March 1, 2025, 7:41pm

Such a stack trace in itself is a hint that something in the application or its configuration (also: low-code endeavors) is not handled correctly, was overlooked, data not sanitized, etc. by the dev building the code triggering the error.

As a security researcher, you’d look at the code so usefully hinted at by the last-ditch error catcher and try to find ways to coerce the application to do things it’s not supposed to do: disclose other data, acquire code execution, getting LPE, e.g. escalate the bug in any way. This can get quite elaborate and creative, and it takes special training to successfully attack as well as defend against such attacks.

The hint to the solution in this case also implies that “setting up production” (as described in the official – and also other dispersed – docs, and the command summaries) doesn’t apply sane defaults, which best practices surely demand.
Thus, uncertainties are left floating around, unbeknownst to users, implementors, maybe even frappe devs themselves.
A security check list for a start probably wouldn’t be a bad thing.