security: Potential information exposure through an exception

okbrandon · Dec 12, 2024 · f85cd1e · f85cd1e
1 parent 4a03845
commit f85cd1e
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/backend/api/views/auth.py b/backend/api/views/auth.py
@@ -28,7 +28,7 @@ def post(self, request, *args, **kwargs):
         try:
             data = self.validate_request_data(request.data)
         except ValidationError as ex:
-            return Response({"error": ex}, status=status.HTTP_400_BAD_REQUEST)
+            return Response({"error": "Internal server error"}, status=status.HTTP_400_BAD_REQUEST)
 
         if User.objects.filter(username=data['username']).exists():
             return Response({"error": "Username is already taken"}, status=status.HTTP_409_CONFLICT)

diff --git a/backend/api/views/tournaments.py b/backend/api/views/tournaments.py
@@ -58,7 +58,7 @@ def post(self, request):
             )
             tournament.participants.add(request.user)
         except Exception as e:
-            return Response({"error": str(e)}, status=status.HTTP_400_BAD_REQUEST)
+            return Response({"error": "Internal server error"}, status=status.HTTP_400_BAD_REQUEST)
 
         serializer = TournamentSerializer(tournament)
         return Response(serializer.data, status=status.HTTP_201_CREATED)
@@ -168,7 +168,7 @@ def get(self, request):
             else:
                 return Response({"message": "User is not currently subscribed to any tournament"}, status=status.HTTP_404_NOT_FOUND)
         except Exception as e:
-            return Response({"error": str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+            return Response({"error": "Internal server error"}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
     def delete(self, request):
         try:
@@ -208,7 +208,7 @@ def delete(self, request):
             else:
                 return Response({"message": "User is not currently subscribed to any tournament"}, status=status.HTTP_404_NOT_FOUND)
         except Exception as e:
-            return Response({"error": str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+            return Response({"error": "Internal server error"}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
 class TournamentDetail(APIView):
     def get(self, request, tournamentID):

diff --git a/backend/api/views/users.py b/backend/api/views/users.py
@@ -105,7 +105,7 @@ def patch(self, request, *args, **kwargs):
             profile = get_safe_profile(serializer.data, me=True)
             return Response(profile, status=status.HTTP_200_OK)
         except Exception as e:
-            return Response({"error": f"An error occurred: {str(e)}"}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+            return Response({"error": f"Internal server error"}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
     def delete(self, request, *args, **kwargs):
         me = request.user