type(security): Information Disclosure in Error Messages

[jonasyr]

Severity: Low
Component: Error Handling / Validation
Status: Requires Review

Description

Error messages should be reviewed to ensure they don't leak sensitive information about the backend infrastructure, internal paths, or implementation details.

Areas to Review

1. Validation Errors: Check if detailed field validation errors reveal too much
2. Database Errors: Ensure database connection errors don't leak credentials
3. File System Errors: Verify path traversal errors don't reveal directory structure
4. Git Errors: Check if git command errors expose system information

Example Issues to Check

// Potentially problematic error message
throw new Error(`Failed to clone repository from ${repoUrl}: ${gitError.message}`);
// Could reveal internal git setup, paths, etc.

// Better error message
throw new Error('Repository cloning failed. Please verify the repository URL.');

Recommended Fix

// apps/backend/src/middleware/errorHandler.ts
export const errorHandler = (err: Error, req: Request, res: Response, next: NextFunction) => {
  // Log full error internally
  console.error('Error occurred:', {
    message: err.message,
    stack: err.stack,
    path: req.path,
    method: req.method,
    ip: req.ip,
    timestamp: new Date().toISOString()
  });
  
  // Generic error response for client
  const isProduction = process.env.NODE_ENV === 'production';
  
  res.status(500).json({
    error: 'Internal Server Error',
    code: 'INTERNAL_ERROR',
    ...((!isProduction && { message: err.message, stack: err.stack }))
  });
};

Testing

Review error messages by:

1. Triggering various error conditions
2. Checking for leaked file paths
3. Verifying no stack traces in production
4. Ensuring generic error messages externally