GerryK97 · GerryK97 · May 26, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-03-01 - Cloudinary Error Details Information Disclosure
+**Vulnerability:** The API route for image upload (`src/app/api/upload/route.ts`) was returning a verbose `errorDetails` object (containing `cloudinaryError` details, `http_code`, and specific error messages) to the client upon failure.
+**Learning:** Detailed API error responses generated during service integration (like Cloudinary) often expose sensitive internal service configurations or state which can be leveraged for reconnaissance.
+**Prevention:** Always sanitize server error responses returned to the client. Keep detailed logs server-side (`console.error`) while returning generic error messages (e.g., `{ error: 'Failed to upload image' }`) via the API.
diff --git a/src/app/api/upload/route.ts b/src/app/api/upload/route.ts
@@ -70,8 +70,9 @@ export async function POST(request: NextRequest) {
 
     console.error('Full error details:', errorDetails);
 
+    // 🛡️ Sentinel: Secure error message - Don't leak details
     return NextResponse.json(
-      errorDetails,
+      { error: 'Failed to upload image' },
       { status: 500 }
     );
   }