From 1208b3bd40f9ea1fe609b853fa88917c1d05ab5d Mon Sep 17 00:00:00 2001
From: root <root@claude.hynesy.com>
Date: Sun, 31 May 2026 20:45:08 +1000
Subject: [PATCH] fix(api): drop err.message from 500 response body (CWE-209)

Catch-all error handlers in lib/api/errors.js and server.js were
echoing raw err.message to clients. Replace with a fixed generic
message; the full error continues to be logged server-side via pino.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 lib/api/errors.js | 2 +-
 server.js         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/api/errors.js b/lib/api/errors.js
index 4aa2600..a6bb297 100644
--- a/lib/api/errors.js
+++ b/lib/api/errors.js
@@ -44,5 +44,5 @@ export function errorMiddleware(err, _req, res, _next) {
     return res.status(err.status).json(body);
   }
   log.error({ err }, 'unhandled');
-  res.status(500).json({ error: { code: 'internal', message: err.message } });
+  res.status(500).json({ error: { code: 'internal', message: 'internal server error' } });
 }
diff --git a/server.js b/server.js
index 14cc9e4..d3d3e5c 100644
--- a/server.js
+++ b/server.js
@@ -27,7 +27,7 @@ export function createApp() {
 
   app.use((err, _req, res, _next) => {
     log.error({ err }, 'unhandled');
-    res.status(500).json({ error: { code: 'internal', message: err.message } });
+    res.status(500).json({ error: { code: 'internal', message: 'internal server error' } });
   });
 
   return app;