Skip to content

Avoid leaking backend error details in HTTP responses#331

Merged
folbricht merged 1 commit into
masterfrom
sanitize-server-error-responses
Apr 18, 2026
Merged

Avoid leaking backend error details in HTTP responses#331
folbricht merged 1 commit into
masterfrom
sanitize-server-error-responses

Conversation

@folbricht
Copy link
Copy Markdown
Owner

@folbricht folbricht commented Apr 18, 2026

Summary

The chunk-server and index-server HTTP handlers echoed raw upstream-store errors and store identifiers into response bodies. On an Internet-exposed server that leaks backend detail to clients:

  • Backend errors from S3/SFTP/GCS/local stores (which can contain bucket names, hostnames, filesystem paths, or occasionally signed URLs) were written to the response body on 5xx and some 4xx paths.
  • The upstream store URI was written to the body of writing to upstream ... is not enabled and upstream ... does not support writing responses.

Changes

All error paths that previously emitted backend-derived text to the client now:

  • log the full error to stderr (so operators retain diagnostics), and
  • return a generic message to the client.

Client-input errors remain intact since they describe the caller's own request:

  • chunk hash-mismatch from NewChunkFromStorage (PUT chunk)
  • invalid index: ... from IndexFromReader (PUT index)
  • URL-shape validation errors from idFromPath

Status codes are preserved; only the response body is changed. The returned error from validateWritable still contains the store identifier for the server-side caller, but the HTTP response no longer does.

Existing chunk-server / index-server tests pass unchanged.

@folbricht
Avoid leaking backend error details in HTTP responses
574eabc 
The chunk and index HTTP handlers echoed raw error strings from the
upstream store into response bodies (e.g., S3/SFTP/GCS error messages
may contain bucket names, hostnames, paths, or signed URLs) and the
upstream store identifier in the "not enabled" / "does not support
writing" responses.

Log the detail to stderr and return a generic message to the client.
@folbricht folbricht marked this pull request as ready for review April 18, 2026 16:06
@folbricht folbricht merged commit dcda3a9 into master Apr 18, 2026
6 checks passed
@folbricht folbricht deleted the sanitize-server-error-responses branch April 18, 2026 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@folbricht