fix: sanitize error responses to prevent stack trace exposure#228
Open
sorlen008 wants to merge 1 commit intoidosal:mainfrom
Open
fix: sanitize error responses to prevent stack trace exposure#228sorlen008 wants to merge 1 commit intoidosal:mainfrom
sorlen008 wants to merge 1 commit intoidosal:mainfrom
Conversation
Return generic error messages to clients instead of raw error.message or string-interpolated error objects. Detailed errors are logged server-side with console.error() for debugging. Fixes idosal#218 (finding 2: ASF-2026-2047). Files changed: - app/routes/api.chat.ts: getErrorMessage fallback no longer returns error.message; uses a static string instead - src/api/tools/commonTools.ts: searchRepositoryCode and fetchUrlContent no longer embed error details in user-facing response text - src/api/test-setup.ts: R2 upload failure results no longer include the raw error message in the JSON response Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses finding #2 from #218 (ASF-2026-2047): error messages were returned directly to clients without sanitization, potentially revealing internal paths, stack traces, and application structure.
Changes
app/routes/api.chat.ts: ThegetErrorMessagefallback intoDataStreamResponsepreviously returned the rawerror.messageto the client. Now returns a generic"An unexpected error occurred. Please try again later."while logging the full error server-side viaconsole.error().src/api/tools/commonTools.ts(searchRepositoryCode): Error catch block was interpolating the raw error object into user-facing response text (An error occurred while searching code: ${error}). Replaced with a static message; detailed error is logged server-side.src/api/tools/commonTools.ts(fetchUrlContent): Same pattern — raw error was embedded in the response text. Now returns a generic message.src/api/test-setup.ts(handleR2TestSetup): R2 upload failure results includederror.messagein the JSON response body. Removed the error detail from the response; it is now only logged server-side.Approach
The fix follows a consistent pattern across all four locations:
console.error) for debuggingSpecific known-safe error messages (rate limit, API key missing) in
api.chat.tsare preserved as-is since they contain no internal details.Testing
npx tsc --noEmitpasses with no errorsFixes #218
Test plan