From e6ad48df48c92ce9ce3a30e31b6082fa90245ed5 Mon Sep 17 00:00:00 2001
From: fettpl <38704082+fettpl@users.noreply.github.com>
Date: Mon, 16 Feb 2026 17:27:07 +0100
Subject: [PATCH] fix(security): stop leaking serde parse details in gateway
 error responses

Replace the dynamic error message in the webhook JSON parsing error
path with a static message. Previously, the raw JsonRejection error
from axum/serde was interpolated into the HTTP response, potentially
exposing internal parsing details to unauthenticated callers.

The detailed error is now logged server-side via tracing::warn for
debugging, while the client receives a generic "Invalid JSON body"
message.

Closes #356

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/gateway/mod.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/gateway/mod.rs b/src/gateway/mod.rs
index 638de00..64d9ba6 100644
--- a/src/gateway/mod.rs
+++ b/src/gateway/mod.rs
@@ -544,8 +544,9 @@ async fn handle_webhook(
     let Json(webhook_body) = match body {
         Ok(b) => b,
         Err(e) => {
+            tracing::warn!("Webhook JSON parse error: {e}");
             let err = serde_json::json!({
-                "error": format!("Invalid JSON: {e}. Expected: {{\"message\": \"...\"}}")
+                "error": "Invalid JSON body. Expected: {\"message\": \"...\"}"
             });
             return (StatusCode::BAD_REQUEST, Json(err));
         }