JetKVM/kvm
1
0
Fork 0
mirror of https://github.com/jetkvm/kvm.git synced 2026-05-21 05:20:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): sanitize error messages returned to clients (#1270)

Browse Source 
Raw err.Error() strings in handleWebRTCSession, handleLocalWebRTCSignal,
handleLogin, handleSetup (web.go) and OIDC handlers (cloud.go) could expose
internal file paths, system details, or configuration to clients. Replace
with generic messages and log internal errors server-side via zerolog.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Adam Shiervani <adam.shiervani@gmail.com>
This commit is contained in:
Ercan Ermiş
2026-03-16 11:52:27 +01:00
committed by GitHub
parent cde4d74c64
commit edb8162bc3
2 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cloud.go
+4 -2
View File
@@ -253,7 +253,8 @@ func handleCloudRegister(c *gin.Context) {
provider, err := oidc.NewProvider(c, "https://accounts.google.com")
if err != nil {
c.JSON(500, gin.H{"error": "Failed to initialize OIDC provider: " + err.Error()})
cloudLogger.Error().Err(err).Msg("failed to initialize OIDC provider")
c.JSON(500, gin.H{"error": "Failed to initialize OIDC provider"})
return
}
@@ -264,7 +265,8 @@ func handleCloudRegister(c *gin.Context) {
verifier := provider.Verifier(oidcConfig)
idToken, err := verifier.Verify(c, req.OidcGoogle)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid OIDC token: " + err.Error()})
cloudLogger.Warn().Err(err).Msg("OIDC token verification failed")
c.JSON(400, gin.H{"error": "Invalid OIDC token"})
return
}
web.go
+7 -6
View File
@@ -233,7 +233,7 @@ func handleWebRTCSession(c *gin.Context) {
var req WebRTCSessionRequest
if err := c.ShouldBindJSON(&req); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
return
}
@@ -297,7 +297,8 @@ func handleLocalWebRTCSignal(c *gin.Context) {
wsCon, err := websocket.Accept(c.Writer, c.Request, wsOptions)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
scopedLogger.Warn().Err(err).Msg("failed to accept websocket connection")
c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to establish WebSocket connection"})
return
}
@@ -306,14 +307,14 @@ func handleLocalWebRTCSignal(c *gin.Context) {
err = wsjson.Write(context.Background(), wsCon, gin.H{"type": "device-metadata", "data": gin.H{"deviceVersion": builtAppVersion}})
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
scopedLogger.Warn().Err(err).Msg("failed to write device metadata")
c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to send device metadata"})
return
}
err = handleWebRTCSignalWsMessages(wsCon, false, source, connectionID, &scopedLogger)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
scopedLogger.Warn().Err(err).Msg("websocket session ended with error")
}
}
@@ -509,7 +510,7 @@ func handleLogin(c *gin.Context) {
var req LoginRequest
if err := c.ShouldBindJSON(&req); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
return
}