From c9f402139caf499865268c7aa61efd7b159c586b Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sun, 17 May 2026 04:44:47 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM]=20?=
 =?UTF-8?q?Fix=20information=20leakage=20in=20upload=20route?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🚨 Severity: MEDIUM
💡 Vulnerability: Detailed Cloudinary error objects and environment variable configuration statuses were being returned directly in 500 HTTP responses.
🎯 Impact: Attackers could gain insights into internal backend setup, API credentials status, and potentially detailed Cloudinary folder structure from these stack traces.
🔧 Fix: Sanitized error responses to return generic error messages to the client while preserving detailed errors and tracebacks in server console logs.
✅ Verification: Ran `npm run build` and `npx tsc --noEmit` which succeeded with no regressions.

Co-authored-by: GerryK97 <210032986+GerryK97@users.noreply.github.com>
---
 .jules/sentinel.md          | 4 ++++
 src/app/api/upload/route.ts | 7 ++++---
 2 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 00000000..5bd16bb0
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-17 - Error Response Sanitization
+**Vulnerability:** Detailed Cloudinary and API service errors were being exposed in the HTTP 500 response bodies in `/api/upload/route.ts`.
+**Learning:** Returning `error: error.message` in Catch blocks directly surfaces internal server configurations, credentials status, and backend stack implementation details.
+**Prevention:** Always log the detailed error internally (`console.error`) and return a generic `NextResponse.json({ error: "Failed to perform action" })` to the client API response.
diff --git a/src/app/api/upload/route.ts b/src/app/api/upload/route.ts
index 1664e115..70897221 100644
--- a/src/app/api/upload/route.ts
+++ b/src/app/api/upload/route.ts
@@ -12,7 +12,7 @@ export async function POST(request: NextRequest) {
         api_secret: !!process.env.CLOUDINARY_API_SECRET
       });
       return NextResponse.json(
-        { error: 'Cloudinary is not configured. Please set environment variables.' },
+        { error: 'Internal server error during upload' },
         { status: 500 }
       );
     }
@@ -60,7 +60,7 @@ export async function POST(request: NextRequest) {
   } catch (error: any) {
     console.error('Upload error:', error);
 
-    // Return detailed error message
+    // Construct detailed error message for server logs ONLY
     const errorMessage = error?.message || error?.error?.message || 'Failed to upload image';
     const errorDetails = {
       error: errorMessage,
@@ -70,8 +70,9 @@ export async function POST(request: NextRequest) {
 
     console.error('Full error details:', errorDetails);
 
+    // Return sanitized generic error message to client
     return NextResponse.json(
-      errorDetails,
+      { error: 'Failed to upload image' },
       { status: 500 }
     );
   }