fix(msteams): sanitize error messages sent to users (CWE-209)#33343
fix(msteams): sanitize error messages sent to users (CWE-209)#33343BradGroux merged 1 commit intoopenclaw:mainfrom
Conversation
Replace raw err.message in user-facing sendActivity calls with generic
messages. Internal details (URLs, tenant IDs, API errors) are kept in
server-side logs only.
- message-handler.ts: 'Agent failed: ${err.message}' → generic message
- monitor-handler.ts: 'File upload failed: ${err}' → generic message
- Upgrade file upload error from debug to error log level
openclaw-barnacle
bot
added
channel: msteams
Greptile SummaryThis PR patches two CWE-209 (Information Exposure Through an Error Message) vulnerabilities in the MS Teams integration by replacing raw error strings sent to users with generic, non-disclosing messages. Full error details are preserved in server-side logs for debugging. Changes:
The fix is minimal, targeted, and safe — no functional behavior beyond user-visible messages is affected. Confidence Score: 5/5
Last reviewed commit: 085d74c |
WinnCook
left a comment
WinnCook
left a comment
There was a problem hiding this comment.
Clean fix. Upgrading log level to error on the upload path is a good call too — debug was swallowing failures silently in production.
|
CI is blocked by a pre-existing test failure on |
|
Hi @lewiswigmore — thanks for the submission. I’m the new Microsoft Teams maintainer for OpenClaw. Please give me a day or two to work through the open Teams backlog. Also, join the Twitter community for daily MS Teams feedback + updates: https://x.com/i/communities/2031170403607974228 |
1 similar comment
|
Hi @lewiswigmore — thanks for the submission. I’m the new Microsoft Teams maintainer for OpenClaw. Please give me a day or two to work through the open Teams backlog. Also, join the Twitter community for daily MS Teams feedback + updates: https://x.com/i/communities/2031170403607974228 |
|
This looks like a clean, low-risk security hardening change for the Teams integration. It removes raw error details from the two user-facing I don’t see scope creep or an obvious missing follow-up in the code changed here. |
|
Thanks @BradGroux, no rush! Happy to rebase once the test fix lands on main. Will check out the community too ��� |
4 participants
Summary
Replaces raw error propagation with generic user-facing messages to prevent internal stack traces, file paths, and Graph API error details from leaking to Teams users (CWE-209 information disclosure).
Changes
monitor-handler.ts: ReplaceFile upload failed: ${String(err)}with generic"File upload failed. Please try again."and upgrade log level fromdebugtoerrormessage-handler.ts: Replace⚠️ Agent failed: ${err.message}with generic"⚠️ Something went wrong. Please try again."Error details are preserved in server-side logs for debugging.
Supersedes #23629 (closed by stale bot during rebase).