Network Errors reveal internal ip

[jhagel]

It appears as though http errors are being passed back to the browser. This is a potential security issue, revealing internal IPs or potentially other information.

example:

{
  "data": null,
  "errors": [{
    "Op": "Post",
    "URL": "http://consumer.staging:8080/graphql",
    "Err": {
      "Op": "dial",
      "Net": "tcp",
      "Source": null,
      "Addr": {
        "IP": "10.0.0.62",
        "Port": 8080,
        "Zone": ""
      },
      "Err": {
        "Syscall": "connect",
        "Err": 111
      }
    }
  }]
}

I could think of a couple of ways to solve this problem.

1. Customize the error message to reduce the information provided
2. Allow errors to be passed through middleware so the response can be modified

[AlecAivazis]

Hey @jhagel - thanks for reporting this.

I don't think the actual structure of the error payload is coming from the gateway. That does not look like a standard graphql error. That being said, your request for a way to format the error before it is sent to the user does make sense. Do you have an idea for what that middleware could look like?

[AlecAivazis]

I'm going to close this since it has gone a bit stale