Camping is a minimalist Ruby framework, but its default behavior can be dangerously verbose. Improper error handling allows stack traces, environment variables, and logic flows to leak to an attacker. This information disclosure is often the first step in a chain leading to Remote Code Execution (RCE) or complete database compromise. We fix this by overriding the internal exception handling logic to ensure zero-leakage in production.

The Vulnerable Pattern

require 'camping'
Camping.goes :LeakApp
module LeakApp::Controllers
class Index < R ’/’
def get
# Triggering an unhandled exception
# Default Camping behavior will dump the stack trace to the browser
raise “Internal logic failure at #{Time.now}”
end
end
end

The Secure Implementation

The vulnerability lies in the default 'service_exception' method which, if not redefined, may output sensitive debugging info to the client. In the secure implementation, we override 'service_exception' at the application module level. This intercepts any crash before it hits the rack middleware, allowing us to log the full trace for developers while serving a sanitized, generic response to the end-user. This effectively kills the information disclosure vector.

require 'camping'
Camping.goes :SecureApp
module SecureApp
Override service_exception to control error output
def service_exception(req, exc)
# 1. Log the detailed error server-side for forensics
File.open(‘error.log’, ‘a’) { |f| f.puts(”#{exc.class}: #{exc.message}\n#{exc.backtrace.join(“\n”)}”) }
# 2. Return a generic 500 response without internal details
r(500, "<h1>Internal Server Error</h1><p>The incident has been logged.</p>")
end
end
module SecureApp::Controllers
class Index < R ’/’
def get
raise “This error will not leak to the client”
end
end
end