From 8652aacf377676f6d4a920fd23568920878257c6 Mon Sep 17 00:00:00 2001 From: Chuck Date: Sat, 23 May 2026 16:50:24 -0400 Subject: [PATCH] Fix pre-existing information exposure in version and action endpoints MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - get_system_version (alert #218): replaced str(e) with generic message; exception still logged via logger.error(exc_info=True) - execute_system_action (alert #216): removed str(e) and full traceback.format_exc() from the HTTP response — the full stack trace was being sent directly to clients; replaced with generic message and proper logger.error call Co-Authored-By: Claude Sonnet 4.6 --- web_interface/blueprints/api_v3.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/web_interface/blueprints/api_v3.py b/web_interface/blueprints/api_v3.py index 8c2fad03..3e11050b 100644 --- a/web_interface/blueprints/api_v3.py +++ b/web_interface/blueprints/api_v3.py @@ -1385,7 +1385,8 @@ def get_system_version(): version = get_git_version() return jsonify({'status': 'success', 'data': {'version': version}}) except Exception as e: - return jsonify({'status': 'error', 'message': str(e)}), 500 + logger.error("get_system_version failed: %s", e, exc_info=True) + return jsonify({'status': 'error', 'message': 'Unable to retrieve version'}), 500 _update_check_cache: Dict[str, Any] = {'result': None, 'ts': 0.0} _UPDATE_CHECK_TTL = 300 # 5 minutes — avoids a git fetch on every page load @@ -1585,11 +1586,8 @@ def execute_system_action(): }) except Exception as e: - import traceback - error_details = traceback.format_exc() - print(f"Error in execute_system_action: {str(e)}") - print(error_details) - return jsonify({'status': 'error', 'message': str(e), 'details': error_details}), 500 + logger.error("execute_system_action failed: %s", e, exc_info=True) + return jsonify({'status': 'error', 'message': 'Action failed; see logs for details'}), 500 @api_v3.route('/hardware/status', methods=['GET']) def get_hardware_status():