Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(api): drop err.message from 500 response body (CWE-209)

Browse Source 
Catch-all error handlers in lib/api/errors.js and server.js were
echoing raw err.message to clients. Replace with a fixed generic
message; the full error continues to be logged server-side via pino.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
root
2026-05-31 20:45:08 +10:00
parent beb6da21c8
commit 1208b3bd40
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/api/errors.js
View File

@@ -44,5 +44,5 @@ export function errorMiddleware(err, _req, res, _next) {
return res.status(err.status).json(body); return res.status(err.status).json(body);
} }
log.error({ err }, 'unhandled'); log.error({ err }, 'unhandled');
res.status(500).json({ error: { code: 'internal', message: err.message } }); res.status(500).json({ error: { code: 'internal', message: 'internal server error' } });
} }

2
server.js
View File

@@ -27,7 +27,7 @@ export function createApp() {
app.use((err, _req, res, _next) => { app.use((err, _req, res, _next) => {
log.error({ err }, 'unhandled'); log.error({ err }, 'unhandled');
res.status(500).json({ error: { code: 'internal', message: err.message } }); res.status(500).json({ error: { code: 'internal', message: 'internal server error' } });
}); });
return app; return app;