Skip to content

Internal DB error details leaked in API responses #6

Description

@sbley

Problem

Every error handler in src/routes/tasks.js returns res.status(500).json({ error: err.message }), exposing raw SQLite error messages (table names, column names, constraint names) to the client. This violates the 'Never expose internal error details to clients' rule in api.instructions.md.

Recommendation

Replace err.message with a generic user-facing string (e.g., 'Internal server error') in all 500 responses, and log the real error server-side with context using console.error.

Location: src/routes/tasks.js — all db.run/db.get/db.all error callbacks
Severity: high

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions