security: harden default error handler — safe-by-default (#51)

jkyberneees · molty3000 · web-flow · commit f7ad8bd2d3b6 · 2026-05-14T17:51:43.000+02:00
* security: harden default error handler — safe-by-default

BREAKING: DEFAULT_ERROR_HANDLER now only exposes error details in
NODE_ENV=development (opt-in). All other modes — production, staging,
testing, and unset NODE_ENV — return sanitized "Internal Server Error".

Previously, any mode except production leaked err.message to clients,
which could expose DB queries, file paths, or internal state.

Changes:
- lib/router/sequential.js: flip condition from === 'production' to
  === 'development', add Content-Type header
- tests/nested-routers.test.js: expect sanitized response in test mode
- tests/router-coverage.test.js: expect sanitized response in test mode
- tests/v4.4.test.js: add NODE_ENV-unset test
- tooling/pentest.js: comprehensive 48-vector security test suite

Pen test results: 48/48 passed, 0 findings (post-fix)
Test suite: 64/64 passed, 97.7% coverage

* fix: standard lint compliance in pentest.js

- Remove unused requires (http, url)
- Remove unused variables (checkPrototypePollution, timeout, nested→const)
- Fix trailing commas (standard style)
- Fix quotes (single quotes for strings)
- Fix dot notation (res.getHeader('server') not ['server'])
- Fix _body getter (captures mock response body correctly)
- Convert template literals to string concatenation for standard

---------

Co-authored-by: molty3000 &lt;molty@21no.de&gt;
diff --git a/lib/router/sequential.js b/lib/router/sequential.js
@@ -15,10 +15,13 @@ const DEFAULT_ROUTE = (req, res) => {
 
 const DEFAULT_ERROR_HANDLER = (err, req, res) => {
   res.statusCode = 500
-  if (process.env.NODE_ENV === 'production') {
-    res.end('Internal Server Error')
-  } else {
+  res.setHeader('Content-Type', 'text/plain')
+  // Safe by default: only expose error details in explicit development mode.
+  // Production, staging, testing, and unset NODE_ENV all receive sanitized response.
+  if (process.env.NODE_ENV === 'development') {
     res.end(err.message)
+  } else {
+    res.end('Internal Server Error')
   }
 }
 
diff --git a/tests/nested-routers.test.js b/tests/nested-routers.test.js
@@ -98,7 +98,7 @@ describe('0http - Nested Routers', () => {
       .get('/r2/rolando/throw')
       .expect(500)
       .then((response) => {
-        expect(response.text).to.equals('nested error')
+        expect(response.text).to.equals('Internal Server Error')
       })
   })
 
diff --git a/tests/router-coverage.test.js b/tests/router-coverage.test.js
@@ -161,7 +161,7 @@ describe('0http - Router Coverage', () => {
         .get('/error')
         .expect(500)
         .then((response) => {
-          expect(response.text).to.equal('Intentional error')
+          expect(response.text).to.equal('Internal Server Error')
         })
     })
 
diff --git a/tests/v4.4.test.js b/tests/v4.4.test.js
@@ -28,6 +28,20 @@ describe('v4.4 Improvements', () => {
         .expect('Internal Server Error')
     })
 
+    it('should hide error message when NODE_ENV is unset', async () => {
+      delete process.env.NODE_ENV
+      const { router, server } = cero()
+
+      router.get('/error', (req, res, next) => {
+        next(new Error('Sensitive Info'))
+      })
+
+      await request(server)
+        .get('/error')
+        .expect(500)
+        .expect('Internal Server Error')
+    })
+
     it('should show error message in development', async () => {
       process.env.NODE_ENV = 'development'
       const { router, server } = cero()
diff --git a/tooling/pentest.js b/tooling/pentest.js
