🛡️ Sentinel: [MEDIUM] Fix information leakage in file upload API

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2026-05-14 - Information Leakage in File Upload
+**Vulnerability:** The API endpoint `src/app/api/upload/route.ts` previously exposed internal configuration status (missing environment variables) and full underlying Cloudinary error objects (including message, `http_code`, and raw `error`) to the client when a file upload failed.
+**Learning:** Returning full error details to the client on generic Catch blocks is a common anti-pattern that can expose underlying third-party dependencies, API structure, or stack traces which an attacker can use for reconnaissance.
+**Prevention:** Always implement an error handling boundary in API endpoints where server-side logs capture full raw errors/trace, while the HTTP responses mask these details with a generic user-facing message such as `Internal server error` or `Failed to upload image`.

src/app/api/upload/route.ts

@@ -12,7 +12,7 @@ export async function POST(request: NextRequest) {
         api_secret: !!process.env.CLOUDINARY_API_SECRET
       });
       return NextResponse.json(
-        { error: 'Cloudinary is not configured. Please set environment variables.' },
+        { error: 'Internal server error' },
         { status: 500 }
       );
     }
@@ -60,7 +60,7 @@ export async function POST(request: NextRequest) {
   } catch (error: any) {
     console.error('Upload error:', error);
 
-    // Return detailed error message
+    // Log detailed error message internally
     const errorMessage = error?.message || error?.error?.message || 'Failed to upload image';
     const errorDetails = {
       error: errorMessage,
@@ -70,8 +70,9 @@ export async function POST(request: NextRequest) {
 
     console.error('Full error details:', errorDetails);
 
+    // Return generic error to the client to avoid leaking internal service details
     return NextResponse.json(
-      errorDetails,
+      { error: 'Failed to upload image' },
       { status: 500 }
     );
   }