From 7cb990c0905e90cbc32d38dc000c6e4a24fd2f98 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 26 May 2026 05:02:53 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM]=20?= =?UTF-8?q?Fix=20information=20exposure=20in=20upload=20API?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Prevent Cloudinary error details from leaking to the client in `src/app/api/upload/route.ts` on 500 errors. - Ensure generic error response `{ error: 'Failed to upload image' }` is returned to the client instead. Co-authored-by: GerryK97 <210032986+GerryK97@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ src/app/api/upload/route.ts | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 00000000..c55af9ad --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-03-01 - Cloudinary Error Details Information Disclosure +**Vulnerability:** The API route for image upload (`src/app/api/upload/route.ts`) was returning a verbose `errorDetails` object (containing `cloudinaryError` details, `http_code`, and specific error messages) to the client upon failure. +**Learning:** Detailed API error responses generated during service integration (like Cloudinary) often expose sensitive internal service configurations or state which can be leveraged for reconnaissance. +**Prevention:** Always sanitize server error responses returned to the client. Keep detailed logs server-side (`console.error`) while returning generic error messages (e.g., `{ error: 'Failed to upload image' }`) via the API. \ No newline at end of file diff --git a/src/app/api/upload/route.ts b/src/app/api/upload/route.ts index 1664e115..acec087c 100644 --- a/src/app/api/upload/route.ts +++ b/src/app/api/upload/route.ts @@ -70,8 +70,9 @@ export async function POST(request: NextRequest) { console.error('Full error details:', errorDetails); + // 🛡️ Sentinel: Secure error message - Don't leak details return NextResponse.json( - errorDetails, + { error: 'Failed to upload image' }, { status: 500 } ); }