From 5a6910ca1702c743157a4ef01c1ee50aed947c48 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 30 May 2026 05:08:14 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?=
 =?UTF-8?q?x=20information=20disclosure=20in=20upload=20endpoint?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: GerryK97 <210032986+GerryK97@users.noreply.github.com>
---
 .jules/sentinel.md          |  5 +++++
 src/app/api/upload/route.ts | 20 +++-----------------
 2 files changed, 8 insertions(+), 17 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 00000000..ef956144
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,5 @@
+
+## 2024-05-30 - Prevent Information Disclosure in Upload Endpoints
+**Vulnerability:** The `/api/upload` endpoint was leaking sensitive internal configuration details (such as the presence or absence of specific Cloudinary environment variables) and detailed third-party service errors (like Cloudinary stack traces and HTTP codes) directly to the client in the 500 error response.
+**Learning:** Returning detailed error objects or stack traces from third-party services, or explicit validation checks for server configuration variables, directly to the client exposes internal architectural details that attackers can use to map the backend infrastructure or exploit misconfigurations.
+**Prevention:** Always catch exceptions or validation errors internally, log the detailed error for debugging, and return a sanitized, generic error message (e.g., 'Internal server error') to the client.
diff --git a/src/app/api/upload/route.ts b/src/app/api/upload/route.ts
index 1664e115..65e43337 100644
--- a/src/app/api/upload/route.ts
+++ b/src/app/api/upload/route.ts
@@ -6,13 +6,9 @@ export async function POST(request: NextRequest) {
   try {
     // Verify Cloudinary configuration
     if (!process.env.CLOUDINARY_CLOUD_NAME || !process.env.CLOUDINARY_API_KEY || !process.env.CLOUDINARY_API_SECRET) {
-      console.error('Missing Cloudinary credentials:', {
-        cloud_name: !!process.env.CLOUDINARY_CLOUD_NAME,
-        api_key: !!process.env.CLOUDINARY_API_KEY,
-        api_secret: !!process.env.CLOUDINARY_API_SECRET
-      });
+      console.error('Missing Cloudinary credentials.');
       return NextResponse.json(
-        { error: 'Cloudinary is not configured. Please set environment variables.' },
+        { error: 'Internal server error' },
         { status: 500 }
       );
     }
@@ -60,18 +56,8 @@ export async function POST(request: NextRequest) {
   } catch (error: any) {
     console.error('Upload error:', error);
 
-    // Return detailed error message
-    const errorMessage = error?.message || error?.error?.message || 'Failed to upload image';
-    const errorDetails = {
-      error: errorMessage,
-      details: error?.http_code ? `HTTP ${error.http_code}` : undefined,
-      cloudinaryError: error?.error || undefined
-    };
-
-    console.error('Full error details:', errorDetails);
-
     return NextResponse.json(
-      errorDetails,
+      { error: 'Internal server error' },
       { status: 500 }
     );
   }