framework icon indicating copy to clipboard operation
framework copied to clipboard
verified publisher icon nuxt

API route leak content of errors

Open cram0 opened this issue 3 years ago • 3 comments

Environment

  • Operating System: Linux
  • Node Version: v16.15.0
  • Nuxt Version: 3.0.0-rc.6
  • Package Manager: [email protected]
  • Builder: vite
  • User Config: vite
  • Runtime Modules: -
  • Build Modules: -

Reproduction

  1. Clone this repo :

https://github.com/cram0/poc_secret

  1. Install dependencies :

npm i

  1. Run build and preview

npm run build && npm run preview

  1. Once the server is running, do a POST request with cURL :

curl -X POST -H 'Content-Type: application/json' -d '{}' http://127.0.0.1:3000/api/test

You should see the message returned by the server which is the thrown error :

{"url":"/api/test","statusCode":500,"statusMessage":"Internal Server Error","message":"Hello secret error","description":""}

And the error thrown by the server : [nuxt] [request error] Hello secret error at createError (./server/node_modules/h3/dist/index.mjs:191:12) at Server.nodeHandler (./server/node_modules/h3/dist/index.mjs:386:21)

Describe the bug

Basically the Nuxt server returns the error thrown inside of API routes using h3

Additional context

No response

Logs

[h3] [unhandled] H3Error: Hello secret error
    at createError (file:///xxx/poc_secret/.output/server/node_modules/h3/dist/index.mjs:191:12)
    at Server.nodeHandler (file:///xxx/poc_secret/.output/server/node_modules/h3/dist/index.mjs:386:21) {
  statusCode: 500,
  fatal: false,
  unhandled: true,
  statusMessage: 'Internal Server Error'
}
[nuxt] [request error] Hello secret error
  at createError (./server/node_modules/h3/dist/index.mjs:191:12)  
  at Server.nodeHandler (./server/node_modules/h3/dist/index.mjs:386:21)

cram0 avatar Aug 03 '22 09:08 cram0

This is the intended behaviour. You can control what message is returned on a server endpoint by calling throw createError({ }): https://v3.nuxtjs.org/api/utils/create-error#throwing-errors-in-api-routes.

Can you explain more about what you feel the issue is?

danielroe avatar Aug 03 '22 10:08 danielroe

Well the problem is that for any exceptions that can happen that are not inside try/catch brackets, it could lead to potential leaks. Unless you have EVERY routes filled with try/catch, which is not what everyone is willing to have (including me).

If we could handle unexpected errors (and in that case have our own error management system) when they happen, that would've been great.

cram0 avatar Aug 03 '22 14:08 cram0

We have some potential improvements we can make regarding unhandled/handled errors - might be worth wrapping this discussion into that. cc: @pi0.

danielroe avatar Aug 05 '22 13:08 danielroe