Security Patch: Sanitize Error Responses to Prevent Internal Schema and Data Leakage#719
Merged
Merged
Conversation
…production fail-fast
…-fast and rate-limited dev fallback
…safe auth, and cooldown dedup
… leakage in production
|
@ArshVermaGit is attempting to deploy a commit to the durdana3105's projects Team on Vercel. A member of the Team first needs to authorize it. |
ArshVermaGit
commented
Jun 4, 2026
Contributor
Author
ArshVermaGit
left a comment
ArshVermaGit
left a comment
There was a problem hiding this comment.
Hi @durdana3105 ! The issue assigned to me has been resolved in this PR . Please consider reviewing it and merging it under GSSoC. Thanks!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This Pull Request resolves a moderate-severity information disclosure vulnerability where the global error handler indiscriminately returned raw
err.message,err.details, and internal error structures directly to the client. Attackers could deliberately trigger validation failures and edge-case errors to extract internal schema structures (via Zod validation details), server file paths (via stack traces), database constraint names, and dependency information — effectively providing a free reconnaissance roadmap of the application's internals.Key Changes
errorHandler.js(backend/middlewares/errorHandler.js) with a three-tier error classification strategy:{ error: "Validation failed" }with zero field-level details. No schema names, types, constraints, or enum values leak. In development, fullerr.errorsare included for debugging convenience.err.detailsproperty (which may contain internal context like retry hints) is only included in development.SAFE_STATUS_MESSAGESlookup map. The client only ever sees generic messages like"Internal server error."— never rawerr.message,err.stack, file paths, or database constraint details.req.requestId, enabling full debugging via server logs without exposing any information to clients.NODE_ENV !== "production", preserving a smooth local debugging experience.Resolved Issue
Resolves #674
Verification Steps
NODE_ENV=productionand send a request with an intentionally malformed body to a validated endpoint. Confirm the response contains only{ "error": "Validation failed" }with nodetailsor field names.{ "error": "Internal server error." }with no stack traces, file paths, or library-specific error formats.NODE_ENV=developmentand repeat. Confirm that full error details, Zod field errors, and stack traces are now visible in the response for debugging.