Exposure of sensitive system information to an unauthorized control sphere
ID |
scala.unsafe.scala_unsafe_rule_sensitivedataexposure |
Severity |
low |
Resource |
Unsafe |
Language |
Scala |
Description
Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Pages that provide different responses based on the validity of the data can lead to Information Leakage; specifically when data deemed confidential is being revealed as a result of the web application’s design.
Rationale
Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Pages that provide different responses based on the validity of the data can lead to Information Leakage; specifically when data deemed confidential is being revealed as a result of the web application’s design.
The following code illustrates a vulnerable pattern detected by this rule:
def doGet(configuration: Configuration, value: String) = Action{
val configElement = configuration.underlying.getString(value)
// VULNERABLE: Exposure of sensitive system information to an unauthorized control sphere
Ok("Hello " + configElement + " !")
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A01 : Broken Access Control.