asf-tooling opened a new issue, #1126: URL: https://github.com/apache/tooling-trusted-releases/issues/1126
**ASVS Level(s):** L2 **Description:** ### Summary When unhandled exceptions occur in API endpoints, the error handlers return str(error) directly to the client. For unexpected exceptions, this can expose internal file paths, SQL fragments, class names, and system state information that aids attackers in understanding the application internals. Tracebacks are suppressed but raw exception messages are still returned. ### Details In `atr/server.py` and `atr/blueprints/api.py`, error handlers return raw exception messages to clients. ### Recommended Remediation In `_handle_generic_exception`, log full error details but only return detailed errors when `is_dev_environment()` is True. Return generic 'Internal server error' message in production. ### Acceptance Criteria - [ ] Detailed errors only in development mode - [ ] Generic errors in production - [ ] Full error details logged server-side - [ ] Unit tests verify error handling ### References - Source reports: L2:13.4.2.md - Related findings: FINDING-177, FINDING-178 - ASVS sections: 13.4.2 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
