Skip to content

fix: remove error from dyn field failure response to prevent exposure#220

Merged
tarekio merged 3 commits intomainfrom
fix-error-exposure
Nov 18, 2025
Merged

fix: remove error from dyn field failure response to prevent exposure#220
tarekio merged 3 commits intomainfrom
fix-error-exposure

Conversation

@tarekio
Copy link
Contributor

@tarekio tarekio commented Nov 8, 2025

Jira Issue

  1. [Add links to jira issues]

Description

[Brief description of changes]

Checklist

  • Tests added/updated
  • Documentation updated (if needed)
  • New strings prepared for translations

API Changes (if applicable)

  • Permissions checked
  • Endpoint tests added

Additional Notes

[Any other relevant information]

@coderabbitai
Copy link

coderabbitai bot commented Nov 8, 2025

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix-error-exposure

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@tarekio tarekio changed the title fix: fix for error exposure through dyn field failure fix: remove error from dyn field failure response to prevent exposure Nov 8, 2025
@level09
Copy link
Collaborator

level09 commented Nov 8, 2025

This + the previous PR are okay but I realized we are breaking an important UX in our dynamic form.

Users will now get some vague "Failed to create field" instead of per-field hints.

I will refactor this a bit more to provide a middle ground (Good ux + no codeql info exposure)

@level09
fix: conditionally expose errors based on status code
ee8d3e5 
Expose validation errors (4xx) to users for actionable feedback while
logging server errors (5xx) to prevent information leakage. Added
expose_errors parameter for manual override when needed.

Updated dynamic fields endpoint to pass errors via errors parameter
instead of interpolating into message.
@level09
Copy link
Collaborator

level09 commented Nov 8, 2025

Updated now with a smart fix : 4xx validation errors dont expose sensitive info and will be sent to the user. 5xx error are hidden from users.

Http Response class handles them automatically.

level09
level09 approved these changes Nov 18, 2025
View reviewed changes
Copy link
Collaborator

@level09 level09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is good to go, balances security with UX.

Test I ran: overly long field titles in dynamic forms. Database errors properly masked while validation errors remained visible.

But this revealed unrelated minor validation bug during testing (missing max length check), will fix separately in another PR.

@apodacaduron I think we need this on FE as well, I'll provide details 👍

@tarekio tarekio merged commit f47f45e into main Nov 18, 2025
11 checks passed
@tarekio tarekio deleted the fix-error-exposure branch November 18, 2025 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@level09 level09 level09 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tarekio @level09