davide/ecommerce-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): sanitize error logging and remove Zod schema details from responses

Browse Source 
- Stripe webhook: log only error.message instead of full error objects
  to avoid exposing stack traces in aggregated logs
- Admin products POST: return only first Zod error message instead of
  the full error array which reveals internal schema structure
This commit is contained in:
Davide Grilli
2026-05-19 10:11:40 +02:00
parent 8cf038443f
commit 5654964d09
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/src/app/api/admin/products/route.ts
+3 -3
View File
@@ -16,8 +16,8 @@ export async function GET(request: NextRequest) {
if (!user) return NextResponse.json({ error: 'Forbidden' }, { status: 403 }) if (!user) return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
const { searchParams } = new URL(request.url) const { searchParams } = new URL(request.url)
const page = parseInt(searchParams.get('page') || '1') const page = Math.max(1, parseInt(searchParams.get('page') || '1') || 1)
const limit = parseInt(searchParams.get('limit') || '20') const limit = Math.min(100, Math.max(1, parseInt(searchParams.get('limit') || '20') || 20))
const search = searchParams.get('search') const search = searchParams.get('search')
const status = searchParams.get('status') const status = searchParams.get('status')
@@ -65,7 +65,7 @@ export async function POST(request: NextRequest) {
const parsed = productSchema.safeParse(body) const parsed = productSchema.safeParse(body)
if (!parsed.success) { if (!parsed.success) {
return NextResponse.json( return NextResponse.json(
{ error: parsed.error.errors[0]?.message || 'Invalid input', details: parsed.error.errors }, { error: parsed.error.errors[0]?.message ?? 'Invalid input' },
{ status: 400 } { status: 400 }
) )
} }
app/src/app/api/webhooks/stripe/route.ts
+3 -3
View File
@@ -16,7 +16,7 @@ export async function POST(request: NextRequest) {
try { try {
event = constructWebhookEvent(body, signature, process.env.STRIPE_WEBHOOK_SECRET!) event = constructWebhookEvent(body, signature, process.env.STRIPE_WEBHOOK_SECRET!)
} catch (err) { } catch (err) {
console.error('Webhook signature verification failed:', err) console.error('Webhook signature verification failed:', err instanceof Error ? err.message : String(err))
return NextResponse.json({ error: 'Invalid signature' }, { status: 400 }) return NextResponse.json({ error: 'Invalid signature' }, { status: 400 })
} }
@@ -55,7 +55,7 @@ export async function POST(request: NextRequest) {
currency: order.currency, currency: order.currency,
}) })
} catch (emailErr) { } catch (emailErr) {
console.error('Failed to send confirmation email:', emailErr) console.error('Failed to send confirmation email:', emailErr instanceof Error ? emailErr.message : String(emailErr))
} }
} }
@@ -116,7 +116,7 @@ export async function POST(request: NextRequest) {
console.log(`Unhandled event type: ${event.type}`) console.log(`Unhandled event type: ${event.type}`)
} }
} catch (err) { } catch (err) {
console.error('Error processing webhook:', err) console.error('Error processing webhook:', err instanceof Error ? err.message : String(err))
return NextResponse.json({ error: 'Webhook processing failed' }, { status: 500 }) return NextResponse.json({ error: 'Webhook processing failed' }, { status: 500 })
} }