Conversation
| return {"error": "Failed to process network."} | ||
| return {"error": "Failed to send network to Cytoscape."} | ||
| logger.error(f"Error in single network mode: {e}") | ||
| return {"error": str(e)} |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, to fix information exposure through exceptions, you should avoid sending raw exception messages or stack traces back to clients. Instead, log the detailed error on the server, and return a generic, user-safe message (optionally with a non-sensitive error code) in the API response.
For this specific case in api/server.py around line 870, the best fix is:
- Keep the existing logging so developers still get details (
logger.error(f"Error in single network mode: {e}")). - Change the returned payload from
{"error": str(e)}to a generic message such as{"error": "Failed to create Cytoscape network"}that does not include the exception text. - Optionally include a non-sensitive field like
"detail": "Internal error", but do not echoeor its string representation.
No new imports or helpers are needed; the fix is just a small change to the return value in that except block. This preserves behavior semantics (error vs success) while preventing sensitive information from leaking to the client.
| @@ -869,7 +869,7 @@ | ||
| return _send_single_network_to_cytoscape(converted_json, layout_type) | ||
| except Exception as e: | ||
| logger.error(f"Error in single network mode: {e}") | ||
| return {"error": str(e)} | ||
| return {"error": "Failed to create Cytoscape network."} | ||
|
|
||
| # Multiple routes mode (new default behavior) | ||
| try: |
No description provided.