Skip to content

fix(serve): hide exception details in web errors#16

Merged
saagpatel merged 1 commit into
mainfrom
codex/fix-stack-trace-exposure
May 18, 2026
Merged

fix(serve): hide exception details in web errors#16
saagpatel merged 1 commit into
mainfrom
codex/fix-stack-trace-exposure

Conversation

@saagpatel
Copy link
Copy Markdown
Owner

@saagpatel saagpatel commented May 18, 2026

What

  • Stops local web HTMX error fragments from echoing exception text.
  • Keeps user-facing errors generic for action, section, and initiative routes.
  • Adds regression coverage that internal exception details are not reflected.

Why

  • Resolves the medium-severity CodeQL stack-trace exposure tranche.

How

  • Uses generic error messages for expected validation/not-found failures instead of rendering exception strings.
  • Updates the existing XSS/error test to assert untrusted input is not reflected at all.

Testing

  • python3 -m pytest tests/test_serve.py tests/test_initiatives_suggestions_route.py -q -p no:cacheprovider — 85 passed
  • ruff check src/serve/routes.py tests/test_serve.py tests/test_initiatives_suggestions_route.py — passed
  • python3 -m pytest -q -p no:cacheprovider — 2085 passed, 2 skipped, 1 warning
  • ruff check src/ tests/ — passed

Performance Impact

  • None expected.

Risk / Notes

  • Error fragments now provide less detail to the browser, intentionally. Server-side behavior and status codes are unchanged.

@saagpatel saagpatel merged commit 9a67ad7 into main May 18, 2026
3 checks passed
@saagpatel saagpatel mentioned this pull request May 18, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saagpatel