GuardAPI Logo
GuardAPI

Fix Improper Error Handling in Cuba

Cuba is a micro-framework that prides itself on minimalism, but this lack of boilerplate means security is entirely in the hands of the developer. By default, unhandled exceptions in Cuba can bubble up to the Rack handler, potentially leaking stack traces, environment variables, and filesystem paths. To prevent Information Exposure (CWE-209), you must implement a centralized error handling strategy that differentiates between internal logging and client-side reporting.

The Vulnerable Pattern

require 'cuba'

Cuba.define do
on ‘debug/test_error’ do
# Vulnerable: No error handler defined.
# An exception here will leak internal paths and logic to the browser.
raise ‘Connection failed to: 192.168.1.55:5432 (internal_db)’
end


on ‘user/:id’ do |id|
user = User.find(id) # Imagine this throws a raw PG::Error
res.write user.to_json
end
end

The Secure Implementation

The fix utilizes Cuba's 'on error' handler, which acts as a safety net for the entire application. In the vulnerable snippet, a crash exposes the database IP and internal naming conventions. The secure version intercepts the exception, logs the full context to a secure internal stream (STDOUT/File), and returns a sanitized JSON object to the user. Note the use of a reference ID (res.object_id); this allows developers to correlate a user's complaint with a specific log entry without showing the user the actual error message.

require 'cuba'
require 'logger'

LOGGER = Logger.new(STDOUT)


Cuba.define do


Global catch-all for any exception within the route block


on error do |e|
# 1. Internal logging: Capture the full stack trace for forensics
LOGGER.error(“Trace ID: #{res.object_id} - #{e.message}\n#{e.backtrace.join(“\n”)}”)


# 2. External response: Generic message, no technical details
res.status = 500
res.headers['Content-Type'] = 'application/json'
res.write({ 
  error: 'Internal Server Error', 
  ref: res.object_id 
}.to_json)


end


on ‘user/:id’ do |id|
begin
user = User.find(id)
res.write user.to_json
rescue UserNotFoundError => e
res.status = 404
res.write({ error: ‘User not found’ }.to_json)
end
end
end

System Alert • ID: 3012
Target: Cuba API
Potential Vulnerability

Your Cuba API might be exposed to Improper Error Handling

74% of Cuba apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X