Summary
The public ErrorResponse TypeBox schema (src/models.ts:322-325) includes an optional stackTrace field. This field is part of the API contract and is serialised in 400 responses at src/api_productions.ts:737.
Currently, stackTrace is populated with a literal string ('Failed to generate sdp offer for endpoint'), not a real stack trace — so there is no immediate leak. However, the field is part of the public schema, which means:
- Future developers may mistake it for the correct place to put
err.stack, leaking internal paths, library versions, and file structure to clients.
- The field appears in the OpenAPI/Swagger schema (
/api/docs), advertising an attack vector.
Affected Files
src/models.ts ~line 322: stackTrace: Type.Optional(Type.String())
src/api_productions.ts ~line 737: usage site
Severity
Low (current behaviour is safe; risk is future misuse)
Fix
- Remove the
stackTrace field from ErrorResponse in models.ts.
- At
api_productions.ts:737, replace the stackTrace usage with an appropriate human-readable message field.
- Log actual stack traces server-side with
Log().error(err) only — never include them in client responses.
Summary
The public
ErrorResponseTypeBox schema (src/models.ts:322-325) includes an optionalstackTracefield. This field is part of the API contract and is serialised in 400 responses atsrc/api_productions.ts:737.Currently,
stackTraceis populated with a literal string ('Failed to generate sdp offer for endpoint'), not a real stack trace — so there is no immediate leak. However, the field is part of the public schema, which means:err.stack, leaking internal paths, library versions, and file structure to clients./api/docs), advertising an attack vector.Affected Files
src/models.ts~line 322:stackTrace: Type.Optional(Type.String())src/api_productions.ts~line 737: usage siteSeverity
Low (current behaviour is safe; risk is future misuse)
Fix
stackTracefield fromErrorResponseinmodels.ts.api_productions.ts:737, replace thestackTraceusage with an appropriate human-readablemessagefield.Log().error(err)only — never include them in client responses.