fix(security): stop leaking serde parse details in gateway error responses
Replace the dynamic error message in the webhook JSON parsing error path with a static message. Previously, the raw JsonRejection error from axum/serde was interpolated into the HTTP response, potentially exposing internal parsing details to unauthenticated callers. The detailed error is now logged server-side via tracing::warn for debugging, while the client receives a generic "Invalid JSON body" message. Closes #356 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fettpl
parent
639032c952
commit
e6ad48df48
1 changed files with 2 additions and 1 deletions
|
|
@ -544,8 +544,9 @@ async fn handle_webhook(
|
||||||
let Json(webhook_body) = match body {
|
let Json(webhook_body) = match body {
|
||||||
Ok(b) => b,
|
Ok(b) => b,
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
|
tracing::warn!("Webhook JSON parse error: {e}");
|
||||||
let err = serde_json::json!({
|
let err = serde_json::json!({
|
||||||
"error": format!("Invalid JSON: {e}. Expected: {{\"message\": \"...\"}}")
|
"error": "Invalid JSON body. Expected: {\"message\": \"...\"}"
|
||||||
});
|
});
|
||||||
return (StatusCode::BAD_REQUEST, Json(err));
|
return (StatusCode::BAD_REQUEST, Json(err));
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue