aussiebroadwan / tipping

A tipping application designed for the Aussie BroadWAN community to engage in tipping on NRL competitions, including NRL Women's Championship and State of Origin.
MIT License
0 stars 0 forks source link

Update API Endpoints to Avoid Returning Raw Internal Errors #11

Open lcox74 opened 3 months ago

lcox74 commented 3 months ago

Currently, the API endpoints in our NRL Tipping Application return raw internal error messages directly in the HTTP responses. This behavior can expose sensitive information about the internal workings of the application, potentially leading to security vulnerabilities.

Impact

Returning raw error messages can provide attackers with valuable insights into the application's structure, database schema, or internal logic. This information could be used to exploit vulnerabilities or conduct targeted attacks.

Proposed Solution

  1. Review All API Endpoints: Identify all the places where internal errors are being returned directly in the response body.
  2. Implement Generic Error Messages: Replace raw internal errors with generic error messages, such as "Internal Server Error" or "An unexpected error occurred."
  3. Log Detailed Errors: Ensure that detailed error messages are logged internally using the logging framework for debugging and auditing purposes.
  4. Test Changes: Test all endpoints to ensure that the updated error handling does not affect the API's functionality or user experience.

Endpoints Affected

/api/v1/competitions
/api/v1/fixtures
/api/v1/fixtures/{competition_id}
/api/v1/fixtures/{competition_id}/{match_id}

Example Change

Instead of:

if err != nil {
    http.Error(w, err.Error(), http.StatusInternalServerError)
    return
}

Use:

if err != nil {
    log.Errorf("Error retrieving data: %v", err)
    http.Error(w, "Internal Server Error", http.StatusInternalServerError)
    return
}
lcox74 commented 3 months ago

Alternatively we can do a Sea of Thieves and theme error codes in the response so we still know what is wrong and have some understanding on the error, but we still log the full detailed error.