Stack Trace Disclosure (RoR)
Description
The application exposes detailed stack traces from Ruby on Rails (RoR) framework errors to end users. When exceptions occur, the default Rails error handling mechanism displays comprehensive debugging information including file paths, code snippets, framework versions, and application structure. This verbose error output is intended for development environments but should never be exposed in production systems.
Remediation
Configure Ruby on Rails to suppress detailed error messages in production environments and implement proper exception handling:
1. Set the production environment configuration:
Edit config/environments/production.rb to ensure detailed errors are disabled:
config.consider_all_requests_local = false config.action_dispatch.show_exceptions = true
2. Implement custom error pages:
Create user-friendly error pages in
public/ directory (e.g., 500.html) that display generic error messages without technical details.3. Use exception handling in controllers:
class ApplicationController < ActionController::Base
rescue_from StandardError, with: :handle_error
private
def handle_error(exception)
Rails.logger.error(exception.message)
Rails.logger.error(exception.backtrace.join("\n"))
render file: "#{Rails.root}/public/500.html", status: :internal_server_error, layout: false
end
end4. Configure centralized logging:
Ensure all exceptions are logged to secure, internal logging systems for debugging purposes while preventing exposure to end users.
5. Verify configuration:
Test error handling in a staging environment that mirrors production settings before deployment.