From 3f874b9260ec930ec0b4ed234b31c5dddefdbe4d Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Fri, 24 Apr 2026 05:14:45 -0700
Subject: [PATCH] fix(security): internal exception messages are returned to
 client

The base controller returns raw exception messages in HTTP responses (`['message' => $e->getMessage()]`). If exception text contains internal details (query context, identifiers, stack-related hints), this can expose sensitive implementation information to attackers.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 lib/Controller/BaseController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/Controller/BaseController.php b/lib/Controller/BaseController.php
index 893992b77d..74ad703dd9 100644
--- a/lib/Controller/BaseController.php
+++ b/lib/Controller/BaseController.php
@@ -48,7 +48,7 @@ protected function response(
 
 			/** @var HttpStatusCode $status */
 			$status = $e->getStatus();
-			return new JSONResponse(['message' => $e->getMessage()], $status);
+			return new JSONResponse(['message' => 'Request failed'], $status);
 		}
 	}