π‘οΈ Sentinel: [MEDIUM] Fix information disclosure in upload API#115
π‘οΈ Sentinel: [MEDIUM] Fix information disclosure in upload API#115GerryK97 wants to merge 1 commit into
Conversation
Co-authored-by: GerryK97 <210032986+GerryK97@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
1 participant
π¨ Severity: MEDIUM
π‘ Vulnerability: The
/api/uploadendpoint was returning detailed configuration errors (which env vars are missing) and detailed Cloudinary internal error objects directly to the client via its JSON response.π― Impact: This leaks sensitive internal server configuration status and third-party service internals to any client hitting the endpoint, slightly increasing the attack surface.
π§ Fix: We now catch these detailed errors and log them exclusively on the server backend (using
console.error) but we return a safe, sanitized generic error message to the client (e.g.Server configuration errororFailed to upload image).β Verification: Review the code for
src/app/api/upload/route.tsand verify that theNextResponse.jsoncalls only return static sanitized string values instead of theerrorDetailsobject.PR created automatically by Jules for task 7768493716577987353 started by @GerryK97