Fix pre-existing information exposure in version and action endpoints

- get_system_version (alert #218): replaced str(e) with generic message; exception still logged via logger.error(exc_info=True) - execute_system_action (alert #216): removed str(e) and full traceback.format_exc() from the HTTP response — the full stack trace was being sent directly to clients; replaced with generic message and proper logger.error call Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 21:43:32 +00:00 · 2026-05-23 16:50:24 -04:00
parent 76507014ce
commit 8652aacf37
1 changed files with 4 additions and 6 deletions
--- a/web_interface/blueprints/api_v3.py
+++ b/web_interface/blueprints/api_v3.py
@@ -1385,7 +1385,8 @@ def get_system_version():
        version = get_git_version()
        return jsonify({'status': 'success', 'data': {'version': version}})
    except Exception as e:
-        return jsonify({'status': 'error', 'message': str(e)}), 500
+        logger.error("get_system_version failed: %s", e, exc_info=True)
+        return jsonify({'status': 'error', 'message': 'Unable to retrieve version'}), 500

 _update_check_cache: Dict[str, Any] = {'result': None, 'ts': 0.0}
 _UPDATE_CHECK_TTL = 300  # 5 minutes — avoids a git fetch on every page load
@@ -1585,11 +1586,8 @@ def execute_system_action():
        })

    except Exception as e:
-        import traceback
-        error_details = traceback.format_exc()
-        print(f"Error in execute_system_action: {str(e)}")
-        print(error_details)
-        return jsonify({'status': 'error', 'message': str(e), 'details': error_details}), 500
+        logger.error("execute_system_action failed: %s", e, exc_info=True)
+        return jsonify({'status': 'error', 'message': 'Action failed; see logs for details'}), 500

@api_v3.route('/hardware/status', methods=['GET'])
 def get_hardware_status():