Skip to content

security: sanitize error messages to prevent info disclosure#412

Merged
its-me-abhishek merged 1 commit intomainfrom
security/sanitize-error-messages
Jan 19, 2026
Merged

security: sanitize error messages to prevent info disclosure#412
its-me-abhishek merged 1 commit intomainfrom
security/sanitize-error-messages

Conversation

@cfsmp3
Copy link
Copy Markdown
Collaborator

@cfsmp3 cfsmp3 commented Jan 19, 2026

Summary

  • Replace detailed error messages with generic ones to prevent information disclosure
  • Log actual errors for debugging while showing safe messages to users

Security Issue Addressed

Debug Information Disclosure (Low) - Previously, detailed error messages (including internal error details) were returned to users. This could leak sensitive information about the system, libraries used, or internal structure.

Changes

  • backend/controllers/app_handlers.go:

    • OAuth errors: Show "Authentication failed" instead of err.Error()
    • Session errors: Show "Session error" instead of err.Error()
    • Logout errors: Show "Logout failed" instead of err.Error()
    • Log actual errors for debugging

  • backend/controllers/add_task.go:

    • JSON decode errors: Show "Invalid request body" instead of decode error details

Notes

  • Validation errors (like "Invalid date format", "Invalid dependencies") are intentionally kept as they help users understand what needs to be fixed
  • This is a focused fix for the most critical error exposures; additional controllers could be updated similarly in follow-up PRs

Test plan

  • Verify OAuth errors show generic message
  • Verify session errors show generic message
  • Verify detailed errors are logged server-side
  • Verify validation errors still provide helpful feedback

🤖 Generated with Claude Code

@cfsmp3 @claude
security: sanitize error messages to prevent info disclosure
a5252ee 
Replace detailed error messages with generic ones to prevent leaking
internal system information to users. Actual errors are logged for
debugging.

- OAuth errors: "Authentication failed" instead of err.Error()
- Session errors: "Session error" instead of err.Error()
- JSON decode errors: "Invalid request body" instead of decode error
- Logout errors: "Logout failed" instead of err.Error()

Note: Validation errors (like "Invalid date format") are kept as they
help users understand what needs to be fixed.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 19, 2026

Thank you for opening this PR!

Before a maintainer takes a look, it would be really helpful if you could walk through your changes using GitHub's review tools.

Please take a moment to:

  • Check the "Files changed" tab
  • Leave comments on any lines for functions, comments, etc. that are important, non-obvious, or may need attention
  • Clarify decisions you made or areas you might be unsure about and/or any future updates being considered.
  • Finally, submit all the comments!

More information on how to conduct a self review:
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request

This helps make the review process smoother and gives us a clearer understanding of your thought process.

Once you've added your self-review, we'll continue from our side. Thank you!

@its-me-abhishek its-me-abhishek merged commit 679b006 into main Jan 19, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@its-me-abhishek its-me-abhishek its-me-abhishek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cfsmp3 @its-me-abhishek