From 679ed7afa7fc8033b8d7d91d5db8d11403c6ac11 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 05:08:19 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Fix=20Infor?= =?UTF-8?q?mation=20Disclosure=20in=20Upload=20API?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Updated `src/app/api/upload/route.ts` to prevent exposure of internal environment variable requirements and detailed Cloudinary error stack traces to clients. - Implemented generic, secure user-facing error messages while retaining detailed server-side logs for debugging. - Added a `.jules/sentinel.md` journal entry detailing this critical learning regarding safe error handling to avoid leaking server architecture. Co-authored-by: GerryK97 <210032986+GerryK97@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ src/app/api/upload/route.ts | 26 ++++++++------------------ 2 files changed, 12 insertions(+), 18 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 00000000..d01528e9 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-05-25 - Information Disclosure in API Error Handling +**Vulnerability:** The API endpoint `src/app/api/upload/route.ts` logged internal environment variable presence to stdout and returned specific Cloudinary setup instructions and error details to clients in its JSON response. +**Learning:** Detailed API error handling can inadvertently leak server architecture or service configurations to clients. By providing generic user-facing errors, potential attackers learn less about the server's internals. +**Prevention:** Implement standard centralized error handlers or ensure catching blocks never return the raw exception objects/messages or service configuration checks to the client. diff --git a/src/app/api/upload/route.ts b/src/app/api/upload/route.ts index 1664e115..e4136af6 100644 --- a/src/app/api/upload/route.ts +++ b/src/app/api/upload/route.ts @@ -6,13 +6,11 @@ export async function POST(request: NextRequest) { try { // Verify Cloudinary configuration if (!process.env.CLOUDINARY_CLOUD_NAME || !process.env.CLOUDINARY_API_KEY || !process.env.CLOUDINARY_API_SECRET) { - console.error('Missing Cloudinary credentials:', { - cloud_name: !!process.env.CLOUDINARY_CLOUD_NAME, - api_key: !!process.env.CLOUDINARY_API_KEY, - api_secret: !!process.env.CLOUDINARY_API_SECRET - }); + // 🛡️ Sentinel Security Fix: Do not expose which specific environment variables are missing + console.error('Upload service configuration error: Missing required credentials'); return NextResponse.json( - { error: 'Cloudinary is not configured. Please set environment variables.' }, + // 🛡️ Sentinel Security Fix: Provide a generic error message to avoid information disclosure + { error: 'Upload service unavailable. Please contact administrator.' }, { status: 500 } ); } @@ -58,20 +56,12 @@ export async function POST(request: NextRequest) { publicId: uploadResult.public_id, }); } catch (error: any) { - console.error('Upload error:', error); - - // Return detailed error message - const errorMessage = error?.message || error?.error?.message || 'Failed to upload image'; - const errorDetails = { - error: errorMessage, - details: error?.http_code ? `HTTP ${error.http_code}` : undefined, - cloudinaryError: error?.error || undefined - }; - - console.error('Full error details:', errorDetails); + // 🛡️ Sentinel Security Fix: Log detailed error internally but don't expose stack traces or Cloudinary details to the client + console.error('Upload error:', error?.message || error, error?.error || ''); return NextResponse.json( - errorDetails, + // 🛡️ Sentinel Security Fix: Provide a generic error message to the client + { error: 'Failed to upload image. Please try again later.' }, { status: 500 } ); }