search

Badgerati / Pode

Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers
https://badgerati.github.io/Pode
MIT License
830 stars 92 forks source link

Pull Request: Enhanced Error Handling for Internal Pode Errors #1334

Closed mdaneri closed 2 months ago

mdaneri commented 2 months ago

Description

This pull request introduces a modification to the error handling mechanism within Pode. The key change is the enhancement of how internal errors are reported. Previously, any internal Pode error would generate an HTTP 500 status code along with the associated exception's internal information. This approach has been updated to improve security and user experience.

Key Changes:

  1. Default Error Handling:

    • By default, any internal Pode error will now generate an HTTP 500 status code without returning any additional internal information to the user. This change enhances security by preventing the exposure of internal server details.

  2. Debugging Support:

    • Added a new -Code500Details switch parameter to the Start-PodeServer function.
    • When this switch is present, the server will return an HTTP 500 status code along with the exception details. This is particularly useful for debugging purposes.
    • The Code500Details parameter can also be passed using server.psd1 in the following format:
    @{
    # omit
    Server = @{
        # omit
        Debug = @{ 
            Code500Details = $true
        }
    }
}

Implementation Details:

Example Usage:

# Start the Pode server with default error handling
Start-PodeServer

# Start the Pode server with detailed error information in HTTP 500 responses for debugging
Start-PodeServer -Code500Details

Documentation:

Updated the function headers and inline documentation to reflect the changes. Updated the documentation to reflect the changes.

Badgerati commented 2 months ago

Out of interest, did you have either -StatusPageExceptions Show on Start-PodeServer or ErrorPage.StatusExceptions = $true in the server.psd1 set? (note: in /examples it's set to true).

The StatusException switch controls whether the exception details are shown or not (can be seen in Show-PodeErrorPage), setting it to Hide, or false in server.psd1, stops them from being displayed.

On a fresh setup without that parameter on Start-PodeServer and no server.psd1, the exceptions will be hidden.

mdaneri commented 2 months ago

The quick answer is no, and I was not aware 😊 I'm going to try it

I created this pull request yesterday in the rush because I saw it in production, and I don’t want Infosec to find this security issue

mdaneri commented 2 months ago

My bad. I'm closing the pull request and adding a note to the documentation