jaredhanson/passport-twitter

Security issue: full stack trace being sent back

adamzerner opened this issue · 1 comments

adamzerner commented

I'm in the process of writing some unit tests for my server. I'm trying to write a test for:

http://localhost:3000/auth/twitter/callback?oauth_token=QjjNpgAAAAAAhE9JAAABT2WLy2k&oauth_verifier=VluLIOZODQJQ1Hw4ddCo81jwXvGD82g3

I'm getting an error. I think it's because I've used that oauth token before.

The error seems to be getting handled by passport-twitter's source code. It's sending back the full stack trace as a 500 response:

Error: Failed to find request token in session
    at Strategy.OAuthStrategy.authenticate (/Users/azerner/code/mean-starter/node_modules/passport-twitter/node_modules/passport-oauth1/lib/strategy.js:142:54)
    at Strategy.authenticate (/Users/azerner/code/mean-starter/node_modules/passport-twitter/lib/strategy.js:85:40)
    at attempt (/Users/azerner/code/mean-starter/node_modules/passport/lib/middleware/authenticate.js:341:16)
    at authenticate (/Users/azerner/code/mean-starter/node_modules/passport/lib/middleware/authenticate.js:342:7)
    at Layer.handle [as handle_request] (/Users/azerner/code/mean-starter/node_modules/express/lib/router/layer.js:95:5)
    at next (/Users/azerner/code/mean-starter/node_modules/express/lib/router/route.js:131:13)
    at router.get.passport.authenticate.successRedirect (/Users/azerner/code/mean-starter/server/api/auth/auth.routes.js:41:5)
    at Layer.handle [as handle_request] (/Users/azerner/code/mean-starter/node_modules/express/lib/router/layer.js:95:5)
    at next (/Users/azerner/code/mean-starter/node_modules/express/lib/router/route.js:131:13)
    at Route.dispatch (/Users/azerner/code/mean-starter/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/Users/azerner/code/mean-starter/node_modules/express/lib/router/layer.js:95:5)
    at /Users/azerner/code/mean-starter/node_modules/express/lib/router/index.js:277:22
    at Function.process_params (/Users/azerner/code/mean-starter/node_modules/express/lib/router/index.js:330:12)
    at next (/Users/azerner/code/mean-starter/node_modules/express/lib/router/index.js:271:10)
    at Function.handle (/Users/azerner/code/mean-starter/node_modules/express/lib/router/index.js:176:3)
    at router (/Users/azerner/code/mean-starter/node_modules/express/lib/router/index.js:46:12)

Is the fact that it sends back the full stack trace a security issue?

jaredhanson commented

The stack trace would be sent by your application-level error handler. Passport itself just nexts with an error, it doesn't send stack responses. Suppressing this is done at the application-level, not within Passport.