[AI-assisted] fix(gateway): sanitize error responses to prevent information disclosure#2387
Merged
thewilloftheshadow merged 1 commit intoopenclaw:mainfrom Jan 26, 2026
Conversation
|
Paragon Review Unavailable Hi @robbyczgw-cla! To enable Paragon reviews on this repository, please register at https://home.polarity.cc Once registered, connect your GitHub account and Paragon will automatically review your pull requests. |
Replace raw error messages with generic 'Internal Server Error' to prevent leaking internal error details to unauthenticated HTTP clients. Fixes #2383
40fd6ff to
deea834
Compare
thewilloftheshadow
added a commit
that referenced
this pull request
Jan 26, 2026
thewilloftheshadow
added a commit
that referenced
this pull request
Jan 27, 2026
2 tasks
s4na
added a commit
to s4na/openclaw
that referenced
this pull request
Jan 30, 2026
## Why The OpenAI-compatible API endpoints (`openai-http.ts`, `openresponses-http.ts`) were returning raw `String(err)` in error responses. This can leak sensitive internal information to HTTP clients: - Stack traces revealing code structure - File paths exposing server directory layout - Internal error messages from dependencies This is the same class of vulnerability that was fixed in openclaw#2387 for `server-http.ts`, but these OpenAI-compatible endpoints were missed. ## What Replace `String(err)` with safe error messages: - **500 errors (api_error)**: Return generic "Internal server error" - **400 errors (invalid_request_error)**: Return `err.message` only (no stack trace), with fallback to "Invalid request" ## Changes - `src/gateway/openai-http.ts`: 2 catch blocks sanitized - `src/gateway/openresponses-http.ts`: 4 catch blocks sanitized
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces raw error messages with a generic
Internal Server Errorresponse to prevent leaking internal error details to HTTP clients.Problem
The catch block in
src/gateway/server-http.ts(line 297) returnsString(err)directly to clients:This code path is reachable before authentication (e.g., if
loadConfig()throws), meaning unauthenticated users can receive internal error messages that may leak:Solution
Error details are still logged server-side for debugging.
Testing
pnpm build)pnpm lint)AI Disclosure
This PR was AI-assisted (Claude/Codex). The issue was discovered through automated code analysis, and the fix was verified to compile correctly.
Fixes #2383