summer2026/quicklanch-server
7
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

bug: Error handler exposes sensitive error information in response #9

New Issue
Open
opened 2026-06-17 15:06:16 +00:00 by abumahid · 0 comments
abumahid commented 2026-06-17 15:06:16 +00:00
Owner
Copy Link
Copy Source

Description

The global error handler includes the raw err object in JSON responses to clients. This exposes internal error objects, stack traces (in development), and potentially sensitive information about the application structure to attackers.

Location

  • File: src/app/middlewares/global_error_handler.ts
  • Component: globalErrorHandler middleware
  • Lines: 8-49

How to Fix

Remove the err object from the response and only send safe error information:

const globalErrorHandler: ErrorRequestHandler = (err, req, res, next) => {
  let statusCode = 500;
  let message = "Something went wrong!";
  let errorSources: TErrorSources = [
    {
      path: "",
      message: "Something went wrong",
    },
  ];

  if (err instanceof ZodError) {
    const simplifiedError = handleZodError(err);
    statusCode = simplifiedError?.statusCode;
    message = simplifiedError?.message;
    errorSources = simplifiedError?.errorSources;
  } else if (err instanceof AppError) {
    statusCode = err?.statusCode;
    message = err.message;
    errorSources = [
      {
        path: "",
        message: err?.message,
      },
    ];
  } else if (err instanceof Error) {
    message = err.message;
    errorSources = [
      {
        path: "",
        message: err?.message,
      },
    ];
  }

  res.status(statusCode).json({
    success: false,
    message,
    errorSources,
    // Remove 'err' and only include stack in development
    ...(configs.env === "development" && { stack: err?.stack }),
  });
};

Acceptance Criteria

  • Error response does not include raw error object
  • Stack trace is only included in development environment
  • Production responses only contain message and errorSources
  • Build passes
  • Error handling still works correctly
  • Type check passes
### Description The global error handler includes the raw `err` object in JSON responses to clients. This exposes internal error objects, stack traces (in development), and potentially sensitive information about the application structure to attackers. ### Location - **File:** `src/app/middlewares/global_error_handler.ts` - **Component:** `globalErrorHandler` middleware - **Lines:** 8-49 ### How to Fix Remove the `err` object from the response and only send safe error information: ```typescript const globalErrorHandler: ErrorRequestHandler = (err, req, res, next) => { let statusCode = 500; let message = "Something went wrong!"; let errorSources: TErrorSources = [ { path: "", message: "Something went wrong", }, ]; if (err instanceof ZodError) { const simplifiedError = handleZodError(err); statusCode = simplifiedError?.statusCode; message = simplifiedError?.message; errorSources = simplifiedError?.errorSources; } else if (err instanceof AppError) { statusCode = err?.statusCode; message = err.message; errorSources = [ { path: "", message: err?.message, }, ]; } else if (err instanceof Error) { message = err.message; errorSources = [ { path: "", message: err?.message, }, ]; } res.status(statusCode).json({ success: false, message, errorSources, // Remove 'err' and only include stack in development ...(configs.env === "development" && { stack: err?.stack }), }); }; ``` ### Acceptance Criteria - [ ] Error response does not include raw error object - [ ] Stack trace is only included in development environment - [ ] Production responses only contain message and errorSources - [ ] Build passes - [ ] Error handling still works correctly - [ ] Type check passes ---
abumahid added the Mediumbug labels 2026-06-17 15:06:16 +00:00
abumahid added this to the quicklanch-server project 2026-06-17 15:06:16 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Code not working perfectly
 Critical
Critical
 feat
For new features
 fix
Need to fixed simple code changes
 High
High
 improvement
improvement
 Low
Low
 Medium
Medium
 perf
Performance
refactor
refactor
 security
security related issue
No Label bug Medium
Milestone
No items
No Milestone
Projects
Clear projects
No project quicklanch-server
Assignees
Clear assignees
abumahid (Md Abumahid) rahat (Ruhul Amin Rahat) rimi sharafat (Md Sharafat Hassain Binoy) sinikdho (Md Ferdous Mahmud Sinikdho) techzaa (TechZaa : Innovating the Future) utsob
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: summer2026/quicklanch-server#9
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?