SECURITY: Error messages from Go errors displayed unescaped could leak internals #41

Closed
opened 2026-02-16 06:56:35 +01:00 by clawbot · 0 comments
Collaborator

Severity: MEDIUM

File: internal/handlers/app.go line 73

Description

data["Error"] = "Failed to create app: " + createErr.Error()

The raw Go error message (which may contain internal details like file paths, SQL errors, or stack traces) is passed directly to the template. While Go's html/template auto-escapes HTML, this is still an information disclosure issue — internal error details should never be shown to users.

This pattern appears in HandleAppCreate but not in other handlers (which correctly use generic messages like "Failed to create user").

Suggested Fix

Use a generic error message for the user and log the detailed error server-side:

h.log.Error("failed to create app", "error", createErr)
data["Error"] = "Failed to create app. Check server logs for details."
## Severity: MEDIUM ## File: `internal/handlers/app.go` line 73 ## Description ```go data["Error"] = "Failed to create app: " + createErr.Error() ``` The raw Go error message (which may contain internal details like file paths, SQL errors, or stack traces) is passed directly to the template. While Go's `html/template` auto-escapes HTML, this is still an information disclosure issue — internal error details should never be shown to users. This pattern appears in `HandleAppCreate` but not in other handlers (which correctly use generic messages like "Failed to create user"). ## Suggested Fix Use a generic error message for the user and log the detailed error server-side: ```go h.log.Error("failed to create app", "error", createErr) data["Error"] = "Failed to create app. Check server logs for details." ```
sneak closed this issue 2026-02-16 07:01:53 +01:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#41
No description provided.