fix(security): ReportsController — log internal errors, return generic messages

rubenvdlinde · rubenvdlinde · commit ff4579676422 · 2026-05-07T10:13:03.000+02:00
`render()` previously surfaced `$e->getMessage()` directly in the response — useful for diagnostics, hostile when echoed to a hostile caller. The mapper layer + ReportRenderService chain (PhpSpreadsheet / Dompdf) routinely raise exceptions that include file paths, SQL fragments, or library-internal state. Inject `LoggerInterface`, log the original exception detail at error level (with identifier + format context for correlation), and return a generic message in the response body. Keep `InvalidArgumentException` verbatim — those are validation messages the caller controls and needs to act on. Refs: #1419 review (concern 11) — discussion_r3187494514 Same pattern applies in `AggregationController`, `MetricsController`, `RealtimeController`; left for follow-up since they're separate hunks reviewed off-line.
diff --git a/lib/Controller/ReportsController.php b/lib/Controller/ReportsController.php
@@ -40,6 +40,7 @@
 use OCP\AppFramework\Http\DataDownloadResponse;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
+use Psr\Log\LoggerInterface;
 
 /**
  * REST endpoint for on-demand dashboard rendering.
@@ -59,6 +60,7 @@ public function __construct(
         IRequest $request,
         private readonly ReportRenderService $renderService,
         private readonly MagicMapper $objectMapper,
+        private readonly LoggerInterface $logger,
     ) {
         parent::__construct(appName: $appName, request: $request);
 
@@ -87,8 +89,14 @@ public function render(string $id)
                 statusCode: Http::STATUS_NOT_FOUND
             );
         } catch (\Throwable $e) {
+            // SECURITY: log internal exception detail (file paths, SQL
+            // fragments, library state) and return a generic message.
+            $this->logger->error(
+                message: '[ReportsController] Failed to load dashboard',
+                context: ['identifier' => $id, 'error' => $e->getMessage()]
+            );
             return new JSONResponse(
-                data: ['error' => 'Failed to load dashboard: '.$e->getMessage()],
+                data: ['error' => 'Failed to load dashboard'],
                 statusCode: Http::STATUS_INTERNAL_SERVER_ERROR
             );
         }
@@ -99,13 +107,19 @@ public function render(string $id)
                 format: $format
             );
         } catch (InvalidArgumentException $e) {
+            // Validation errors are safe to return verbatim (the caller
+            // controls the input that triggered them).
             return new JSONResponse(
                 data: ['error' => $e->getMessage()],
                 statusCode: Http::STATUS_UNPROCESSABLE_ENTITY
             );
         } catch (\Throwable $e) {
+            $this->logger->error(
+                message: '[ReportsController] Render failed',
+                context: ['identifier' => $id, 'format' => $format, 'error' => $e->getMessage()]
+            );
             return new JSONResponse(
-                data: ['error' => 'Render failed: '.$e->getMessage()],
+                data: ['error' => 'Render failed; see server logs for details'],
                 statusCode: Http::STATUS_INTERNAL_SERVER_ERROR
             );
         }
