Problem
When a method handler raises an unexpected exception, the response sent back to the caller embeds traceback.format_exc() verbatim:
self.send(
Message.new_error(
msg,
ErrorType.INTERNAL_ERROR,
f"An internal error occurred: {e}.\n{traceback.format_exc()}",
)
)The traceback discloses absolute filesystem paths (revealing the install location and user account names like /home/<user>/.../site-packages/...), exact source line numbers, function names, locals referenced in frames, and library versions to the remote caller. Any unprivileged process that can invoke a method on a privileged dbus-fast service running on the system bus collects this information by sending a malformed argument.
Why This Matters
Information disclosure that materially aids further exploitation — discloses installation paths (useful for path-traversal/symlink targeting), user identities, internal class structure, and version fingerprints, all from an untrusted peer with only method-call privileges.
Suggested Fix
Log the traceback locally but return only a generic message to the caller:
except Exception as e:
_LOGGER.exception("Internal error handling %s.%s", msg.interface, msg.member)
if msg.message_type is MESSAGE_TYPE_CALL:
self.send(
Message.new_error(
msg,
ErrorType.INTERNAL_ERROR,
f"An internal error occurred: {type(e).__name__}",
)
)
handled = True
breakOptionally gate the verbose form behind a debug flag (e.g., env var DBUS_FAST_DEBUG_TRACEBACK=1) so the safe behavior is the default.
Details
|
|
| Severity |
🟡 Medium |
| Category |
config |
| Location |
src/dbus_fast/message_bus.py:830-841 |
| Effort |
⚡ Quick fix |
🤖 Created by Kōan from audit session
Problem
When a method handler raises an unexpected exception, the response sent back to the caller embeds
traceback.format_exc()verbatim:The traceback discloses absolute filesystem paths (revealing the install location and user account names like
/home/<user>/.../site-packages/...), exact source line numbers, function names, locals referenced in frames, and library versions to the remote caller. Any unprivileged process that can invoke a method on a privileged dbus-fast service running on the system bus collects this information by sending a malformed argument.Why This Matters
Information disclosure that materially aids further exploitation — discloses installation paths (useful for path-traversal/symlink targeting), user identities, internal class structure, and version fingerprints, all from an untrusted peer with only method-call privileges.
Suggested Fix
Log the traceback locally but return only a generic message to the caller:
Optionally gate the verbose form behind a debug flag (e.g., env var
DBUS_FAST_DEBUG_TRACEBACK=1) so the safe behavior is the default.Details
src/dbus_fast/message_bus.py:830-841🤖 Created by Kōan from audit session