fix(security): never echo err.message verbatim on 4xx#75
Merged
Conversation
Before: error-handler.js returned err.message verbatim for any
status < 500. A future middleware / library that threw with detail
(Sequelize validation error revealing column names, pg driver
hostname leak, third-party library stack frame) would surface that
to the client without filtering.
After: 4xx responses use generic per-status messages by default
(GENERIC_MESSAGES table). Echo the original err.message ONLY when
the error is explicitly marked safe via err.expose === true —
the http-errors / express body-parser convention. Body-parser's
PayloadTooLargeError, BadRequest from malformed JSON, etc. all
set expose=true, so legitimate client-side errors keep their
descriptive messages. Sequelize, pg, and most third-party libs
don't set expose, so their messages now stay in the log instead
of the response body.
5xx behavior unchanged — still always "Error!" with a requestId
for log correlation.
Tests:
- Existing "doesn't leak 500 detail" coverage preserved.
- New cases:
* 4xx without expose → generic, no detail
* 4xx with expose=true → message echoed
* PayloadTooLargeError-style → message echoed
* Sequelize-style 4xx → generic, no "Sequelize" / column name
Closes #73 P1-B.
Suite: 280 / 280 + 4 integration skipped (was 276 / 276).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #73 P1-B.
Problem
error-handler.jsechoederr.messageverbatim on any status < 500. Future middleware that throws with detail (Sequelize: column names; pg driver: hostnames; third-party libs: stack frames) leaked to the client.Fix
4xx defaults to per-status generic messages. Pass-through is opt-in via
err.expose === true(http-errors convention) — body-parser, http-errors-derived libs, our own intentional client errors all keep working. Sequelize / pg-driver / un-annotated errors get the generic.Test plan
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/