Stack Trace Disclosure (Grails)
Description
The application exposes detailed stack traces to users when errors occur. Stack traces are diagnostic messages generated by the Grails framework that reveal internal application structure, including file paths, code snippets, framework versions, and configuration details. This information disclosure vulnerability occurs when error handling is not properly configured to suppress technical details in production environments.
Remediation
Configure the Grails application to suppress detailed error messages in production environments and implement proper exception handling:
1. Set the appropriate error handling configuration in grails-app/conf/application.yml or Config.groovy:
grails:
views:
gsp:
encoding: UTF-8
sitemesh:
preprocess: true
error:
handling:
printStackTraces: false2. Configure custom error pages in
grails-app/conf/UrlMappings.groovy:class UrlMappings {
static mappings = {
"500"(view: '/error')
"404"(view: '/notFound')
}
}3. Implement global exception handling using a custom error controller that logs detailed errors server-side while displaying generic messages to users.
4. Ensure that production environments have
grails.serverURL properly configured and development mode is disabled.5. Review application logs to ensure stack traces are captured for debugging purposes while remaining inaccessible to end users.