Fix #18937: Don't leak API errors to user channel#18970
Closed
jwchmodx wants to merge 1 commit intoopenclaw:mainfrom
Closed
Fix #18937: Don't leak API errors to user channel#18970jwchmodx wants to merge 1 commit intoopenclaw:mainfrom
jwchmodx wants to merge 1 commit intoopenclaw:mainfrom
Conversation
- Heartbeat errors are now silently logged instead of being sent to the user's WhatsApp/Telegram channel - Auth errors (401/403) in formatRawAssistantErrorForUi return a generic message instead of raw HTTP error body - formatAssistantErrorText catches auth errors early with a safe message Fixes openclaw#18937
This comment was marked as spam.
This comment was marked as spam.
Contributor
|
Closing as AI-assisted stale-fix triage. Linked issue #18937 ("Bug: API error messages (401 User not found) leaked to user channel") is CLOSED and was closed on 2026-02-22T19:04:58Z with state reason COMPLETED. If the behavior is still reproducible on current main, reopen #18970 (or open a new focused fix PR) and reference #18937. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
API error messages (e.g.
401 User not found) were being sent directly to users' WhatsApp/Telegram channels instead of being kept internal.Changes
Heartbeat error suppression (
agent-runner-execution.ts): When a heartbeat run fails, return an empty payload instead of forwarding the error text to the user channel. Errors are still logged viadefaultRuntime.error().Auth error sanitization (
errors.ts):formatRawAssistantErrorForUi: HTTP 401/403 errors now return a generic "Authentication error" message instead of the raw error bodyformatAssistantErrorText: Added early auth error detection before the generic fallbackFixes #18937
Greptile Summary
This PR prevents API error messages from leaking to user channels by sanitizing authentication errors and suppressing heartbeat failures.
Changes:
formatRawAssistantErrorForUinow returns a generic "Authentication error" message for HTTP 401/403 errors instead of exposing raw error bodies like "401 User not found"formatAssistantErrorTextadds early auth error detection before the generic fallbackdefaultRuntime.error())The implementation correctly addresses the security issue by catching auth errors in multiple places and preventing sensitive API error details from reaching end users.
Confidence Score: 5/5
isAuthErrorMessagealready includes 401/403 patterns), adds appropriate sanitization in two key locations, and maintains backward compatibility by only affecting error display logic without changing error handling behavior. Errors are still logged internally for debugging.Last reviewed commit: 3774c38