Missing global error handler¶
ID: cs/web/missing-global-error-handler Kind: problem Security severity: 7.5 Severity: warning Precision: high Tags: - security - external/cwe/cwe-12 - external/cwe/cwe-248 Query suites: - csharp-code-scanning.qls - csharp-security-extended.qls - csharp-security-and-quality.qls Click to see the query in the CodeQL repository
Web.config files that set the customErrors mode to Off and do not provide an Application_Error method in the global.asax.cs file rely on the default error pages, which leak information such as stack traces.
Recommendation¶
Set the customErrors to On to prevent the default error page from being displayed, or to RemoteOnly to only show the default error page when the application is accessed locally. Alternatively, provide an implementation of the Application_Error method in the global.asax.cs page.
Example¶
The following example shows a Web.config file in which the custom errors mode has been set to Off.
<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <customErrors mode="Off"> ... </customErrors> </system.web> </configuration> This can be fixed either by specifying a different mode, such as On, in the Web.config file:
<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <customErrors mode="On"> ... </customErrors> </system.web> </configuration> or by defining an Application_Error method in the global.asax.cs file:
usingSystem;usingSystem.Web;namespaceWebApp{publicclassGlobal:HttpApplication{voidApplication_Error(objectsender,EventArgse){// Handle errors here}}}