Giters

IBM / ibm-cos-sdk-java

ibm-cos-sdk-java

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SAST: ErrorHandling.RevealDetails.StackTrace

roryodonnell opened this issue · comments

commented

ibm-cos-sdk-java/ibm-cos-java-sdk-s3/src/main/java/com/ibm/cloud/objectstorage/services/s3/AmazonS3Client.java

Line 4522 in 79bae81

ase.setStackTrace(ose.getStackTrace());

Existing

            /**
             * Wrap OAuthServiceException as AmazonS3Exception and re-throw for backwards compatability.
             */
            AmazonS3Exception ase = new AmazonS3Exception(ose.getErrorMessage());
            ase.setStatusCode(ose.getStatusCode());
            ase.setServiceName("IAM");
            ase.setStackTrace(ose.getStackTrace());
            throw ase;

Possible solution

            /**
             * Wrap OAuthServiceException as AmazonS3Exception and re-throw for backwards compatability.
             */
            AmazonS3Exception ase = new AmazonS3Exception(ose.getErrorMessage(), ose);
            ase.setStatusCode(ose.getStatusCode());
            ase.setServiceName("IAM");
            throw ase;

image

commented

As the code states, one exception is being wrapped and re-thrown as another. The stack trace for the new exception needs to match the original, which requires using that value.

The scanner probably flags this because it is not good practice to display stack trace details to end users. However, the SDK is a framework for building applications, and much like a development library, is not the final link in the chain. The end application is responsible for properly sanitizing details displayed to users.

commented

Thanks Eric -