no-exposed-error-details
ESLint rule documentation for no-exposed-error-details
📡 Live from GitHub — This documentation is fetched directly from no-exposed-error-details.md and cached for 6 hours.
Keywords: error details, stack trace, information disclosure, CWE-209, Lambda, serverless CWE: CWE-209
OWASP: A01:2021-Broken Access Control
Detect Lambda handlers exposing internal error details in responses
Detects Lambda handlers that expose internal error details (stack traces, config, paths) in API responses. This rule is part of eslint-plugin-lambda-security and provides LLM-optimized error messages.
⚠️ Security rule | 💡 Provides suggestions | 📋 Set to warn in recommended
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-209 (Info Disclosure) |
| Severity | Medium (information disclosure) |
| Auto-Fix | 💡 Suggests generic error responses |
| Category | Security |
| Best For | Lambda functions returning API Gateway responses |
Vulnerability and Risk
Vulnerability: Exposing internal error details like stack traces, file paths, configuration, or environment information in API responses gives attackers valuable reconnaissance information.
Risk: Exposed error details reveal:
- Internal file paths and application structure
- Library versions and dependencies
- Database connection strings
- Internal service endpoints
- Configuration details
Rule Details
This rule detects API responses that include:
error.stackorerror.stackTrace__dirname,__filenameerror.config,error.envJSON.stringify(error)(exposes all error properties)
Why This Matters
| Risk | Impact | Solution |
|---|---|---|
| 🔍 Reconnaissance | Attackers learn internal structure | Return generic error messages |
| 📂 Path Disclosure | Internal paths reveal deployment info | Log details server-side only |
| 🔑 Config Exposure | Secrets in error objects exposed | Sanitize before returning |
Configuration
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | true | Allow in test files |
{
rules: {
'lambda-security/no-exposed-error-details': ['warn', {
allowInTests: true
}]
}
}Examples
❌ Incorrect
export const handler = async (event) => {
try {
await processRequest(event);
} catch (error) {
return {
statusCode: 500,
body: JSON.stringify({
message: error.message,
stack: error.stack, // ❌ Exposes internal paths
path: __dirname // ❌ Exposes deployment structure
})
};
}
};
// Also dangerous
catch (error) {
return {
statusCode: 500,
body: JSON.stringify(error) // ❌ Exposes all error properties
};
}✅ Correct
export const handler = async (event, context) => {
try {
await processRequest(event);
return { statusCode: 200, body: '{}' };
} catch (error) {
// Log details server-side (CloudWatch)
console.error('Request failed', {
// ✅ Server-side logging
error,
requestId: context.awsRequestId,
event: JSON.stringify(event),
});
// Return generic message to client
return {
statusCode: 500,
body: JSON.stringify({
error: 'Internal server error', // ✅ Generic message
requestId: context.awsRequestId, // ✅ Correlation ID for support
}),
};
}
};✅ Custom Error Classes
class AppError extends Error {
constructor(
public statusCode: number,
public userMessage: string, // Safe for client
message: string, // For logging only
) {
super(message);
}
toResponse() {
return {
statusCode: this.statusCode,
body: JSON.stringify({ error: this.userMessage }), // ✅ Safe
};
}
}
export const handler = async (event) => {
try {
await processRequest(event);
} catch (error) {
console.error(error); // Full details to CloudWatch
if (error instanceof AppError) {
return error.toResponse(); // ✅ Controlled exposure
}
return {
statusCode: 500,
body: JSON.stringify({ error: 'Internal error' }),
};
}
};Sensitive Error Properties
| Property | Risk | Should Expose |
|---|---|---|
message | May contain sensitive details | ⚠️ Sanitize |
stack | Reveals paths, line numbers | ❌ Never |
cause | May chain sensitive errors | ❌ Never |
code | Internal error codes | ⚠️ Map to user codes |
config | Request/response configurations | ❌ Never |
path | File system paths | ❌ Never |
Security Impact
| Vulnerability | CWE | OWASP | CVSS | Impact |
|---|---|---|---|---|
| Info Disclosure | 209 | A01:2021 | 4.3 Medium | Reconnaissance aid |
| Improper Error Handling | 755 | A01:2021 | 3.7 Low | Information leakage |
Related Rules
no-error-swallowing- Don't swallow errorsno-env-logging- Don't log environment variables
Further Reading
- CWE-209: Info Disclosure in Errors - Official CWE entry
- OWASP Error Handling - Best practices
- AWS Lambda Error Handling - AWS documentation