HIGH: Error messages expose internal details #74
Description
Security Finding
Severity: HIGH
Location: src/pages/Settings.js:143, 193
CWE: CWE-209 (Information Exposure Through Error Messages)
Description
Error messages display full exception details to users, potentially exposing:
- Backend structure
- API endpoint details
- Stack traces
- Internal error codes
Current Code
catch (e) {
toast.error(\`Connection test failed: \${e.message}\`);
toast.error(\`Failed to save: \${e.message}. Is the backend running?\`);
}Recommended Fix
- Use generic error messages for users
- Log detailed errors server-side only
- Implement error codes for debugging
- Never expose stack traces or internal paths
References
- Arcanum Anti-Patterns: Excessive Data Exposure (Priority Release v2.1: Separate Controls & Assessments Tabs with Requirement Mapping #9)
- OWASP: Error Handling
Found by Arcanum sec-context security review
Metadata
Metadata
Assignees
Labels
No labels