From ef1d064ebdab8a45d111a0eaa79e673c6e722ac9 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 31 Mar 2026 19:40:56 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM]=20?=
 =?UTF-8?q?Fix=20Information=20Exposure=20through=20Error=20Messages?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Added `logging` import and instantiated logger in `api/dataset_api.py`.
* Used `logger.exception` to log the detailed exception server-side in all `except sqlite3.Error:` blocks.
* Kept the original `HTTPException` responses with generic 500 status codes.
* Addressed `ruff` E501 line length linting error in `validate_identifier`.
* Verified changes locally with `uv run pytest test_dataset_api_final.py` (with manual installation of `bcrypt`).

Co-authored-by: daggerstuff <261005129+daggerstuff@users.noreply.github.com>
---
 api/dataset_api.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/api/dataset_api.py b/api/dataset_api.py
index 43c4ef3a..26ae55b1 100644
--- a/api/dataset_api.py
+++ b/api/dataset_api.py
@@ -1,3 +1,4 @@
+import logging
 import os
 import re
 import sqlite3
@@ -5,6 +6,7 @@
 
 from fastapi import Depends, FastAPI, HTTPException, Query, Request, Security, status
 from pydantic import BaseModel
+
 from security.api_authentication import (
     AuthenticationSystem,
     PermissionLevel,
@@ -27,6 +29,8 @@
     expires_in_days=365,
 )
 
+logger = logging.getLogger(__name__)
+
 app = FastAPI(
     title="Dataset Access API", description="API for accessing and querying datasets."
 )
@@ -41,7 +45,9 @@ def validate_identifier(identifier: str) -> str:
     This prevents SQL injection by disallowing special characters.
     """
     if not re.match(r"^[a-zA-Z0-9_]+$", identifier):
-        raise HTTPException(status_code=400, detail=f"Invalid identifier format: {identifier}")
+        raise HTTPException(
+            status_code=400, detail=f"Invalid identifier format: {identifier}"
+        )
     return identifier
 
 
@@ -178,6 +184,7 @@ async def list_datasets(
                 )
             )
     except sqlite3.Error:
+        logger.exception("Database error occurred while listing datasets")
         raise HTTPException(status_code=500, detail="Database error occurred")
     finally:
         if conn:
@@ -235,6 +242,7 @@ async def get_dataset_metadata(
             columns=columns,
         )
     except sqlite3.Error:
+        logger.exception("Database error occurred while getting dataset metadata")
         raise HTTPException(status_code=500, detail="Database error occurred")
     finally:
         if conn:
@@ -315,6 +323,7 @@ async def query_dataset(
         )
 
     except sqlite3.Error:
+        logger.exception("Database error occurred while querying dataset")
         raise HTTPException(status_code=500, detail="Database error occurred")
     finally:
         if conn: