Don't return back the sensitive information to user

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

The way the description reads, this seems like a solution proposal rather than a vulnerability report. If there are specific information leaks for which we need to issue a broad advisory, please include clear details and example output demonstrating each leak along with the set of steps necessary for a user of the service to predictably reproduce them in production.

Otherwise I'm inclined to consider this a security hardening opportunity, in which case it should use the "security" bug tag rather than the "Public Security" information type reserved by the VMT for vulnerability reporting.

Fix proposed to branch: master
Review: https://review.openstack.org/490320

Switching the OSSA task to Won't Fix since this looks like a class D (harderning) at most.

Reviewed: https://review.openstack.org/490320
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=8cdfc3b293027292d21974b8152f42426d1f61ae
Submitter: Zuul
Branch: master

commit 8cdfc3b293027292d21974b8152f42426d1f61ae
Author: huangtianhua <email address hidden>
Date: Thu Aug 3 11:56:11 2017 +0800

    Don't return the sensitive information to user

    We return back the sensitive information to user
    when some exceptions happened, for example,
    when DBError happened, we return the whole sql
    statement to user, it's not safe.
    This patch changes to return the message if the
    exception is the HeatException, otherwise the message
    won't be revealed to user.

    Change-Id: I6e01b1003a39106274e79c3b413917a30b5651b6
    Closes-Bug: #1708122

This issue was fixed in the openstack/heat 10.0.0.0b2 development milestone.