SECURITY: Error messages from Go errors displayed unescaped could leak internals #41

Nytt Ärende

Stängd

öppnade 2026-02-16 06:56:35 +01:00 av clawbot · 0 kommentarer

clawbot kommenterad 2026-02-16 06:56:35 +01:00

Collaborator

Kopiera länk

Severity: MEDIUM

File: internal/handlers/app.go line 73

Description

data["Error"] = "Failed to create app: " + createErr.Error()

The raw Go error message (which may contain internal details like file paths, SQL errors, or stack traces) is passed directly to the template. While Go's html/template auto-escapes HTML, this is still an information disclosure issue — internal error details should never be shown to users.

This pattern appears in HandleAppCreate but not in other handlers (which correctly use generic messages like "Failed to create user").

Suggested Fix

Use a generic error message for the user and log the detailed error server-side:

h.log.Error("failed to create app", "error", createErr)
data["Error"] = "Failed to create app. Check server logs for details."

## Severity: MEDIUM ## File: `internal/handlers/app.go` line 73 ## Description ```go data["Error"] = "Failed to create app: " + createErr.Error() ``` The raw Go error message (which may contain internal details like file paths, SQL errors, or stack traces) is passed directly to the template. While Go's `html/template` auto-escapes HTML, this is still an information disclosure issue — internal error details should never be shown to users. This pattern appears in `HandleAppCreate` but not in other handlers (which correctly use generic messages like "Failed to create user"). ## Suggested Fix Use a generic error message for the user and log the detailed error server-side: ```go h.log.Error("failed to create app", "error", createErr) data["Error"] = "Failed to create app. Check server logs for details." ```

sneak stängde ärendet 2026-02-16 07:01:53 +01:00

Logga in för att delta i denna konversation.

Ingen Branch/Tag specificerad

Grenar Taggar

main

feature/custom-healthcheck-command

feature/observability-improvements

feature/private-registry-auth

feature/backup-restore-config

fix/js-formatting

fix/module-path

fix/1.0-audit-bugs

fix/disable-api-write-methods

chore/code-cleanup

ci/check-workflow-only

fix/repo-url-validation

fix/main-lint-issues

feature/api-token-auth

revert/pr-98

feat/ci-make-check

ci/add-check-action

fix/deploy-cancel-cleanup

schema-consolidation

feature/json-api

chore/update-todo

feature/edit-config-entities

feature/deployment-rollback-tests

update-todo-md

feature/edit-entities

feature/deployment-rollback

feature/deploy-cancel

1.0.0

Etiketter

Rensa etiketter

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

merge-ready

All checks pass, reviewed, rebased, ready for merge

needs-checks

make check does not pass cleanly

needs-rebase

PR has merge conflicts or is behind main

needs-review

Code review not yet done

needs-rework

Code review found issues to fix

notplanned

question

More information is needed

wontfix

This won't be fixed

Ingen Etikett

Milsten

Inga objekt

Ingen Milsten

Projekt

Rensa projekt

Inget projekt

Tilldelade

Rensa tilldelade

clawbot sneak

Ingen tilldelad

1 Deltagare

Notiser

Prenumerera

Förfallodatum

Inget förfallodatum satt.

Beroenden

No dependencies set.

Reference: sneak/upaas#41