返回 Skill 列表
extension
分类: 开发与工程无需 API Key

cwe-200-information-exposure

在需要修复Java代码中的CWE-200(信息泄露)漏洞时使用此技能。触发于静态应用程序安全测试发现、安全审查或修复信息泄露问题时。

person作者: jakexiaohubgithub

CWE-200 Information Exposure

Description

Information Exposure

Reference: https://cwe.mitre.org/data/definitions/200.html

OWASP Category: A01:2021 – Broken Access Control


Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Stack trace exposed
@ExceptionHandler(Exception.class)
public ResponseEntity<?> handleException(Exception e) {
    e.printStackTrace();
    return ResponseEntity.status(500).body(e.getMessage());
}

Why it's vulnerable: This pattern is vulnerable to Information Exposure


Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Log details internally, return generic message
@ExceptionHandler(Exception.class)
public ResponseEntity<?> handleException(Exception e) {
    String errorId = UUID.randomUUID().toString();
    log.error("Error ID {}: {}", errorId, e.getMessage(), e);
    return ResponseEntity.status(500)
        .body(Map.of("error", "Internal error", "errorId", errorId));
}

Why it's secure: Implements proper protection against Information Exposure


Detection Pattern

Look for these patterns in your codebase:

# Find exception exposure
grep -rn "printStackTrace\\|getMessage.*body\\|e.toString" --include="*.java"

Remediation Steps

  1. Return generic error messages to users

  2. Log detailed errors internally with correlation IDs

  3. Disable debug mode in production

  4. Review error responses for information leakage


Key Imports


import java.util.UUID;


Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code


Trigger Examples

Fix CWE-200 vulnerability
Resolve Information Exposure issue
Secure this Java code against information exposure
SAST reports CWE-200

Common Vulnerable Locations

| Layer | Files | Patterns | |-------|-------|----------|

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |


References


Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07