Information exposure alert on intentional input validation exception

[slominskir]

Is it possible to throw an exception on user input validation failure, and use the Exception.getMessage() to pass this onto the user, while allowing CodeQL scan to pass? I'm referring to a Java project. It appears a level of indirection is required such that Exception.getMessage() cannot be used. This appears to be a false positive though. I have a generic "InvalidInputException" that my validation method throws when it finds a user supplied parameter that is invalid. I'm not revealing any stack trace at all, just using the Exception.getMessage() method to carry a message to the user.

CodeQL is saying:

Information exposure through a stack trace

Using Exception.getMessage() to carry a message actually intended for the user isn't even a stack trace. At a minimum this should be filed under something like "Information exposure through an Exception". Seems like user input validation cannot easily use an Exception to perform notification of validation failure. Bug or feature?

[jketema]

Hi @slominskir,

Thanks for you question. At first reading this does look like a false positive. However, from what you're writing it's not completely clear to me what your code is doing. Would it be possible for you to provide a more complete example?

[slominskir]

Here is a working example: https://github.com/slominskir/codeql-16845.

[jketema]

Thanks at lot for the example. This indeed seems to be a false positive, as the stack trace is never output to the user.

Resolving false positives is not a current product priority, but I hereby acknowledge the report. If you would like us to track this properly, please open an issue. This will allow us to track this internally for future consideration, or if we observe repeated instances of the same problem.

[slominskir]

#16867

[jketema]

Thanks. I'll just acknowledge on issue. I don't expect this to be solved soon, unless we receive more reports.

[slominskir]

Is there any way to provide hints to CodeQL? Perhaps via Java annotations? Or a config file? Might be able to simply hint that Exception.getMessage() is intended for user consumption in specific cases. The workaround I'm using right now is to add a differently named getUserMessage method to the Exception class:

https://github.com/slominskir/codeql-16845/blob/223f2107aafabc8781fe66d59dc47a9835f4c6b0/src/main/java/com/example/TestServlet.java#L37-L38

I simply flipped the Enable CodeQL switch in GitHub and accepted all defaults. Looks like there might be some customization, though nothing is jumping out on a brief glance at the docs.

[jketema]

If you're working with GitHub actions then there's:

• https://github.com/advanced-security/filter-sarif , or
• https://github.com/advanced-security/dismiss-alerts

If you're running things locally, then the scripts embedded in those actions might give you some ideas of how to do some filtering yourself. If you're running inside VSCode, there's unfortunately not much we can do, except fix the query.