fix: Server internal error details leaking in error messages returned to clients (#9937)

2025-11-23 13:51:42 +01:00
parent 38c9d2e359
commit 50edb5ab4b
35 changed files with 390 additions and 125 deletions
--- a/src/Routers/FilesRouter.js
+++ b/src/Routers/FilesRouter.js
@@ -5,6 +5,7 @@ import Config from '../Config';
 import logger from '../logger';
 const triggers = require('../triggers');
 const Utils = require('../Utils');
+import { createSanitizedError } from '../Error';

 export class FilesRouter {
  expressRouter({ maxUploadSize = '20Mb' } = {}) {
@@ -43,7 +44,7 @@ export class FilesRouter {
    const config = Config.get(req.params.appId);
    if (!config) {
      res.status(403);
-      const err = new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid application ID.');
+      const err = createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, 'Invalid application ID.');
      res.json({ code: err.code, error: err.message });
      return;
    }