58 lines
1.3 KiB
Plaintext
58 lines
1.3 KiB
Plaintext
``++Throwable.printStackTrace(...)++`` prints a ``++Throwable++`` and its stack trace to some stream. By default that stream ``++System.Err++``, which could inadvertently expose sensitive information.
|
|
|
|
|
|
Loggers should be used instead to print ``++Throwable++``s, as they have many advantages:
|
|
|
|
* Users are able to easily retrieve the logs.
|
|
* The format of log messages is uniform and allow users to browse the logs easily.
|
|
|
|
This rule raises an issue when ``++printStackTrace++`` is used without arguments, i.e. when the stack trace is printed to the default stream.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,java]
|
|
----
|
|
try {
|
|
/* ... */
|
|
} catch(Exception e) {
|
|
e.printStackTrace(); // Noncompliant
|
|
}
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
[source,java]
|
|
----
|
|
try {
|
|
/* ... */
|
|
} catch(Exception e) {
|
|
LOGGER.log("context", e);
|
|
}
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
include::highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|