Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix information disclosure in upload endpoint #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
GerryK97 wants to merge 1 commit into
base: Production
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix information disclosure in upload endpoint #121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

## 2024-05-30 - Prevent Information Disclosure in Upload Endpoints
**Vulnerability:** The `/api/upload` endpoint was leaking sensitive internal configuration details (such as the presence or absence of specific Cloudinary environment variables) and detailed third-party service errors (like Cloudinary stack traces and HTTP codes) directly to the client in the 500 error response.
**Learning:** Returning detailed error objects or stack traces from third-party services, or explicit validation checks for server configuration variables, directly to the client exposes internal architectural details that attackers can use to map the backend infrastructure or exploit misconfigurations.
**Prevention:** Always catch exceptions or validation errors internally, log the detailed error for debugging, and return a sanitized, generic error message (e.g., 'Internal server error') to the client.
20 changes: 3 additions & 17 deletions src/app/api/upload/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,9 @@ export async function POST(request: NextRequest) {
try {
// Verify Cloudinary configuration
if (!process.env.CLOUDINARY_CLOUD_NAME || !process.env.CLOUDINARY_API_KEY || !process.env.CLOUDINARY_API_SECRET) {
console.error('Missing Cloudinary credentials:', {
cloud_name: !!process.env.CLOUDINARY_CLOUD_NAME,
api_key: !!process.env.CLOUDINARY_API_KEY,
api_secret: !!process.env.CLOUDINARY_API_SECRET
});
console.error('Missing Cloudinary credentials.');
return NextResponse.json(
{ error: 'Cloudinary is not configured. Please set environment variables.' },
{ error: 'Internal server error' },
{ status: 500 }
);
}
Expand Down Expand Up @@ -60,18 +56,8 @@ export async function POST(request: NextRequest) {
} catch (error: any) {
console.error('Upload error:', error);

// Return detailed error message
const errorMessage = error?.message || error?.error?.message || 'Failed to upload image';
const errorDetails = {
error: errorMessage,
details: error?.http_code ? `HTTP ${error.http_code}` : undefined,
cloudinaryError: error?.error || undefined
};

console.error('Full error details:', errorDetails);

return NextResponse.json(
errorDetails,
{ error: 'Internal server error' },
{ status: 500 }
);
}
Expand Down