Skip to content

Security: ErrorResponse TypeBox schema includes optional stackTrace field — risk of leaking internal stack traces #258

Description

@LucasMaupin

Summary

The public ErrorResponse TypeBox schema (src/models.ts:322-325) includes an optional stackTrace field. This field is part of the API contract and is serialised in 400 responses at src/api_productions.ts:737.

Currently, stackTrace is populated with a literal string ('Failed to generate sdp offer for endpoint'), not a real stack trace — so there is no immediate leak. However, the field is part of the public schema, which means:

  1. Future developers may mistake it for the correct place to put err.stack, leaking internal paths, library versions, and file structure to clients.
  2. The field appears in the OpenAPI/Swagger schema (/api/docs), advertising an attack vector.

Affected Files

  • src/models.ts ~line 322: stackTrace: Type.Optional(Type.String())
  • src/api_productions.ts ~line 737: usage site

Severity

Low (current behaviour is safe; risk is future misuse)

Fix

  1. Remove the stackTrace field from ErrorResponse in models.ts.
  2. At api_productions.ts:737, replace the stackTrace usage with an appropriate human-readable message field.
  3. Log actual stack traces server-side with Log().error(err) only — never include them in client responses.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions