Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-10-27 11:02:16 +01:00
Code Issues Projects Releases Wiki Activity

fix: Information exposure through a stack trace (#10737)

Browse Source 
Fix for
[https://github.com/Unleash/unleash/security/code-scanning/81](https://github.com/Unleash/unleash/security/code-scanning/81)

To prevent information exposure through stack traces, ensure that the
HTTP response sent to clients contains only sanitized, generic error
information, such as a status code and a simple message. Internal
details (including stack traces, error types, or internal error codes)
should not be sent to the client. These can be safely logged on the
server for debugging.

**The fix:**  
- Do not return the entire `finalError` object as JSON to the client, as
it may include fields like `stack` or `internalMessage`.
- Instead, return only a subset of fields that are safe to expose to the
user, in this case just `message` .
- Log the full error and any debugging details using the server-side
logger **as currently done**.


---
_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
Gastón Fournier 2025-10-07 16:41:40 +02:00 committed by GitHub
parent 8f2cf5386d
commit fab5dc8725
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/lib/routes/util.ts
View File

@ -61,5 +61,23 @@ export const handleErrors: (
); );
} }
return res.status(finalError.statusCode).json(finalError).end(); // details property behaves weirdly. Trying to access it as finalError.details[0],
// hangs the execution of this method. Returning it as finalError.details doesn't
// work returning undefined. Printing out the finalError object using JSON.stringify
// shows that the details property is there and is an array.
// Running JSON.stringify(finalError.details) also hangs.
// As a workaround, we do a roundabout way of getting to the details property
// by doing JSON.parse(JSON.stringify(finalError))['details']
const details =
// @ts-expect-error - details might not be present on all UnleashErrors
// biome-ignore lint/complexity/useLiteralKeys: see above
finalError.details ?? JSON.parse(JSON.stringify(finalError))['details'];
return res
.status(finalError.statusCode)
.json({
name: finalError.name,
message: finalError.message,
details,
})
.end();
}; };