fix(security): stop leaking serde parse details in gateway error responses

Replace the dynamic error message in the webhook JSON parsing error path with a static message. Previously, the raw JsonRejection error from axum/serde was interpolated into the HTTP response, potentially exposing internal parsing details to unauthenticated callers. The detailed error is now logged server-side via tracing::warn for debugging, while the client receives a generic "Invalid JSON body" message. Closes #356 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 17:27:07 +01:00 · 2026-02-16 17:27:07 +01:00 · e6ad48df48
commit e6ad48df48
parent 639032c952
1 changed files with 2 additions and 1 deletions
--- a/src/gateway/mod.rs
+++ b/src/gateway/mod.rs
@ -544,8 +544,9 @@ async fn handle_webhook(
    let Json(webhook_body) = match body {
        Ok(b) => b,
        Err(e) => {
+            tracing::warn!("Webhook JSON parse error: {e}");
            let err = serde_json::json!({
-                "error": format!("Invalid JSON: {e}. Expected: {{\"message\": \"...\"}}")
+                "error": "Invalid JSON body. Expected: {\"message\": \"...\"}"
            });
            return (StatusCode::BAD_REQUEST, Json(err));
        }