fix(pg-pkg): mask internal error details in HTTP responses (#217)#221
Draft
dobby-coder[bot] wants to merge 1 commit into
Draft
fix(pg-pkg): mask internal error details in HTTP responses (#217)#221dobby-coder[bot] wants to merge 1 commit into
dobby-coder[bot] wants to merge 1 commit into
Conversation
Internal-only error variants leaked implementation details into HTTP
response bodies via format!("{}", self). Error::Prometheus embeds the
underlying prometheus error text, exposing internals to clients.
Return a generic "internal server error" message for Error::Prometheus
while logging the full error server-side with log::error!. Client-facing
error messages are unchanged.
Refs #217 (GHSA-c2rq-r4h4-xr73)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ResponseError::error_response()inpg-pkg/src/error.rsbuilt the client-facing JSON body withformat!("{}", self)for every error variant.Error::Prometheus(e)'sDisplayimpl embeds the underlying prometheus error text (prometheus error: {e}), so internal implementation details were forwarded to HTTP response bodies — the hardening concern tracked in #217 / GHSA-c2rq-r4h4-xr73.Changes
Error::Prometheusnow returns a generic"internal server error"message in the HTTP response body.log::error!(the crate's existing logging facility), so operators lose no diagnostic detail.SessionNotFound,ChronologyError,APIKeyInvalid) keep their existing descriptive messages — those are intentional and carry no internals.Error::Prometheusstill maps to500).Tests
Added unit tests in
pg-pkg/src/error.rs:prometheus_error_is_masked_in_response_body— asserts the response body is{"error": true, "message": "internal server error"}, returns500, and that the sensitive inner detail never appears in the body (while remaining available viaDisplayfor logging).client_facing_error_message_is_preserved— asserts a normal client error (SessionNotFound) still returns its descriptive message.Verified locally:
cargo test -p pg-pkg error::— both new tests pass.cargo fmt --all -- --check— clean.cargo build --profile edge --bin pg-pkg— builds on the Docker/CI toolchain path.Refs #217
🤖 Generated with Claude Code