Skip to content

Fix/error message disclosure#6226

Open
buildwithnisha wants to merge 5 commits into
JhaSourav07:mainfrom
buildwithnisha:fix/error-message-disclosure
Open

Fix/error message disclosure#6226
buildwithnisha wants to merge 5 commits into
JhaSourav07:mainfrom
buildwithnisha:fix/error-message-disclosure

Conversation

@buildwithnisha

@buildwithnisha buildwithnisha commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Description

Fixes #6175

Description

Sanitized API error responses to prevent leaking sensitive internal information to clients.

Changes Made

  • Removed raw error.message exposure from app/api/github/route.ts
  • Added server-side logging for detailed error debugging
  • Returned a generic error message to clients for unexpected failures

Security Impact

Prevents disclosure of:

  • Internal file paths
  • Stack traces
  • Database/query details
  • Environment variable names
  • Sensitive implementation details

Testing

  • Verified API fallback errors now return: 
    {
  "error": "An internal error occurred"
}

Pillar

  • 🎨 Pillar 1 — New Theme Design
  • 📐 Pillar 2 — Geometric SVG Improvement
  • 🕐 Pillar 3 — Timezone Logic Optimization
  • 🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

Checklist before requesting a review:

  • [ x] I have read the CONTRIBUTING.md file.
  • I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
  • I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
  • [ x] My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
  • [ x] I have updated README.md if I added a new theme or URL parameter.
  • [ x] I have started the repo.
  • [ x] I have made sure that i have only one commit to merge in this PR.
  • [ x] The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
  • (Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

@vercel

vercel Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

@buildwithnisha is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

@Aamod-Dev Aamod-Dev added GSSoC 2026 mentor:Aamod007 level:beginner Small changes Usually isolated fixes or simple UI/text updates. quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. security bug Something isn't working labels Jun 21, 2026
Aamod-Dev
Aamod-Dev approved these changes Jun 21, 2026
View reviewed changes

@Aamod-Dev Aamod-Dev left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for fixing this error message disclosure vulnerability in app/api/github/route.ts. Raw error messages can expose sensitive information, so returning a generic fallback to the client while logging the detailed error server-side is the correct mitigation. Approved!

@github-actions github-actions Bot added the type:bug Something isn't working as expected label Jun 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aamod-Dev Aamod-Dev Aamod-Dev approved these changes

Assignees

No one assigned

Labels

bug Something isn't working gssoc:needs-rebase GSSoC 2026 level:beginner Small changes Usually isolated fixes or simple UI/text updates. mentor:Aamod007 quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. security type:bug Something isn't working as expected

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(api): error message disclosure - raw errors returned to clients (MEDIUM)

3 participants

@buildwithnisha @Aamod-Dev @JhaSourav07