File: services/api/src/handlers.rs
pub fn internal(err: anyhow::Error) -> Self {
Self {
code: "INTERNAL_ERROR",
message: err.to_string(), // full error chain exposed
...
}
}The full anyhow error chain — which can include database query text, file paths, or stack context — is serialised directly into the JSON response body. This exposes implementation details that could aid an attacker and violates the principle of not leaking internal state to clients.
Expected: Log the full error server-side (already done via tracing) and return a generic message such as "An internal error occurred." to the caller.
File:
services/api/src/handlers.rsThe full
anyhowerror chain — which can include database query text, file paths, or stack context — is serialised directly into the JSON response body. This exposes implementation details that could aid an attacker and violates the principle of not leaking internal state to clients.Expected: Log the full error server-side (already done via
tracing) and return a generic message such as"An internal error occurred."to the caller.