fix: prevent error message information disclosure + standardize error handling (TDD)
All checks were successful
Build & Deploy to Staging / Build & Deploy to Staging (push) Successful in 13m10s
All checks were successful
Build & Deploy to Staging / Build & Deploy to Staging (push) Successful in 13m10s
Security & Consistency Fixes: - Convert routes no longer leak internal error messages (err.message) - Templates route no longer exposes error details via 'detail' field - Admin cleanup endpoint no longer exposes error message - Standardized QUEUE_FULL response: 429 → 503 (Service Unavailable) - Added missing PDF_TIMEOUT handling: returns 504 Gateway Timeout - Generic 500 errors now return 'PDF generation failed.' without internals TDD Approach: 1. RED: Created error-responses.test.ts with 11 failing tests 2. GREEN: Fixed src/routes/convert.ts, templates.ts, and index.ts 3. Updated convert.test.ts to expect new correct status codes 4. All 541 tests pass Before: 'PDF generation failed: Puppeteer crashed: SIGSEGV in Chrome' After: 'PDF generation failed.' (internals logged, not exposed) Closes security audit findings re: information disclosure
This commit is contained in:
parent
6b1b3d584e
commit
424a16ed8a
5 changed files with 293 additions and 13 deletions
|
|
@ -174,6 +174,6 @@ templatesRouter.post("/:id/render", async (req: Request, res: Response) => {
|
|||
res.send(pdf);
|
||||
} catch (err: any) {
|
||||
logger.error({ err }, "Template render error");
|
||||
res.status(500).json({ error: "Template rendering failed", detail: err.message });
|
||||
res.status(500).json({ error: "Template rendering failed" });
|
||||
}
|
||||
});
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue