Zappa returning stack traces in response body when Unicode characters used in URI

[majackson]

Context

A company I am currently working at recently hired a penetration tester to an investigate a REST API built with python3, django and zappa.

A redacted extract from the security report is below:

From the stack trace given in the response, I am not certain if the problem lies with django or zappa, so some insight from others here would be useful.

It's important not to return stack traces in responses, as it reveals the internals of a system, which could lead to the exploitation of vulnerabilities.

Environment

• Django 1.11.4
• Zappa 0.43.2
• Whatever point release version of Python3.6 AWS Lambda uses.

[mcrowson]

So one of the settings in the config file is "debug" which defaults to true. When this value is true, it returns errors in the response. When it is set to false, you get a wonderfully cryptic 500. Do you know what that zappa_settings.json looks like?

[majackson]

d'oh! This simple solution fixed the issue. It does seem a shame that the non-debug error-handling response discloses that Zappa is the tool being used though. Thanks for your help!