Skip to content

Fix internal error detail leakage in 500 responses#2801

Merged
Hayden-IO merged 1 commit into
sigstore:mainfrom
bobcallaway:error_msgs
Apr 17, 2026
Merged

Fix internal error detail leakage in 500 responses#2801
Hayden-IO merged 1 commit into
sigstore:mainfrom
bobcallaway:error_msgs

Conversation

@bobcallaway

@bobcallaway bobcallaway commented Apr 17, 2026

Copy link
Copy Markdown
Member

Replace err.Error() with generic constants in three handleRekorAPIError calls in entries.go that were exposing internal error details (gRPC status text, hostnames, file paths) to unauthenticated callers via 500 response bodies

Detailed errors are still logged server-side; only the user-facing message changes

@bobcallaway bobcallaway requested a review from a team as a code owner April 17, 2026 14:54
@codecov

codecov Bot commented Apr 17, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 26.17%. Comparing base (488eb97) to head (bd87eb1).
⚠️ Report is 667 commits behind head on main.

Files with missing lines Patch % Lines
pkg/api/entries.go 0.00% 3 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #2801       +/-   ##
===========================================
- Coverage   66.46%   26.17%   -40.29%     
===========================================
  Files          92      191       +99     
  Lines        9258    20122    +10864     
===========================================
- Hits         6153     5267      -886     
- Misses       2359    14027    +11668     
- Partials      746      828       +82
Flag Coverage Δ
e2etests 49.56% <0.00%> (+2.00%) ⬆️
unittests 16.71% <0.00%> (-30.97%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Hayden-IO Hayden-IO merged commit 4d67ecd into sigstore:main Apr 17, 2026
16 checks passed
@kdacosta0 kdacosta0 mentioned this pull request May 26, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Hayden-IO Hayden-IO Hayden-IO approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bobcallaway @Hayden-IO