GerryK97 · GerryK97 · May 21, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-21 - Information Disclosure in API Error Responses
+**Vulnerability:** The image upload API (`/api/upload`) was returning detailed error messages directly to the client, including the status of environment variables (`CLOUDINARY_CLOUD_NAME`, `CLOUDINARY_API_KEY`, `CLOUDINARY_API_SECRET`) and raw, unhandled Cloudinary error objects.
+**Learning:** Returning raw internal error details to the client can leak sensitive configuration states and infrastructure details, providing an attacker with valuable reconnaissance information.
+**Prevention:** Always catch exceptions in API routes and return generic error messages to the client. Detailed error information should be logged strictly on the server side for debugging purposes, avoiding exposure to the end-user.
diff --git a/src/app/api/upload/route.ts b/src/app/api/upload/route.ts
@@ -12,7 +12,7 @@ export async function POST(request: NextRequest) {
         api_secret: !!process.env.CLOUDINARY_API_SECRET
       });
       return NextResponse.json(
-        { error: 'Cloudinary is not configured. Please set environment variables.' },
+        { error: 'Upload service is not configured' },
         { status: 500 }
       );
     }
@@ -58,9 +58,7 @@ export async function POST(request: NextRequest) {
       publicId: uploadResult.public_id,
     });
   } catch (error: any) {
-    console.error('Upload error:', error);
-
-    // Return detailed error message
+    // Return detailed error message internally
     const errorMessage = error?.message || error?.error?.message || 'Failed to upload image';
     const errorDetails = {
       error: errorMessage,
@@ -71,7 +69,7 @@ export async function POST(request: NextRequest) {
     console.error('Full error details:', errorDetails);
 
     return NextResponse.json(
-      errorDetails,
+      { error: 'Failed to upload image' },
       { status: 500 }
     );
   }