Skip to content

Stop leaking internal error details on /health/deep#236

Open
agnesadoga-creator wants to merge 1 commit into
FX-GENE:mainfrom
agnesadoga-creator:fix/13-health-deep-error-leak
Open

Stop leaking internal error details on /health/deep#236
agnesadoga-creator wants to merge 1 commit into
FX-GENE:mainfrom
agnesadoga-creator:fix/13-health-deep-error-leak

Conversation

@agnesadoga-creator

Copy link
Copy Markdown

Closes #13

Problem

The /health/deep endpoint (and the shared health-check helper it depends on) returned raw internal error details (error.message, which can include DB connection info, internal hostnames, etc.) in the HTTP response body to any unauthenticated caller whenever a dependency check failed.

Fix

In src/health/health.service.ts, the private timed() helper (used by all dependency checks: Postgres, Redis, Horizon, Soroban RPC) no longer puts the raw caught error into the response detail field. Instead:

  • The full error (including stack trace) is logged server-side via a NestJS Logger.
  • The response detail is now a generic, non-sensitive string like "database check failed" — no error message or stack is exposed to the caller.

Testing

Reviewed by inspection (no local build/test run per task scope — dependencies not installed). Existing tests in test/health-deep.spec.ts and test/health-rpc.spec.ts only assert on status/latencyMs/network/timestamp fields, not on the exact detail string, so this change does not alter their expected behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

/health/deep leaks internal errors to unauthenticated callers

1 participant