From fab5dc87254fb5d07d902e9df63cdd5468c94f11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gast=C3=B3n=20Fournier?= Date: Tue, 7 Oct 2025 16:41:40 +0200 Subject: [PATCH] fix: Information exposure through a stack trace (#10737) Fix for [https://github.com/Unleash/unleash/security/code-scanning/81](https://github.com/Unleash/unleash/security/code-scanning/81) To prevent information exposure through stack traces, ensure that the HTTP response sent to clients contains only sanitized, generic error information, such as a status code and a simple message. Internal details (including stack traces, error types, or internal error codes) should not be sent to the client. These can be safely logged on the server for debugging. **The fix:** - Do not return the entire `finalError` object as JSON to the client, as it may include fields like `stack` or `internalMessage`. - Instead, return only a subset of fields that are safe to expose to the user, in this case just `message` . - Log the full error and any debugging details using the server-side logger **as currently done**. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/lib/routes/util.ts | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/lib/routes/util.ts b/src/lib/routes/util.ts index 0a02bbb504..dc6dfe52ff 100644 --- a/src/lib/routes/util.ts +++ b/src/lib/routes/util.ts @@ -61,5 +61,23 @@ export const handleErrors: ( ); } - return res.status(finalError.statusCode).json(finalError).end(); + // details property behaves weirdly. Trying to access it as finalError.details[0], + // hangs the execution of this method. Returning it as finalError.details doesn't + // work returning undefined. Printing out the finalError object using JSON.stringify + // shows that the details property is there and is an array. + // Running JSON.stringify(finalError.details) also hangs. + // As a workaround, we do a roundabout way of getting to the details property + // by doing JSON.parse(JSON.stringify(finalError))['details'] + const details = + // @ts-expect-error - details might not be present on all UnleashErrors + // biome-ignore lint/complexity/useLiteralKeys: see above + finalError.details ?? JSON.parse(JSON.stringify(finalError))['details']; + return res + .status(finalError.statusCode) + .json({ + name: finalError.name, + message: finalError.message, + details, + }) + .end(); };