fix: sanitize internal error details in global 500 handler

Jiahao · Jiahao · commit 69cb3bedfd46 · 2026-04-08T18:53:52.000+02:00
The catch-all exception handler was returning str(exc) directly in the API response, leaking internal filesystem paths, backend error messages, and configuration details to clients (information disclosure). - Replace str(exc) with a static "Internal server error" message - Upgrade logger.warning to logger.exception so the full traceback is preserved in server logs for debugging Closes #1233
diff --git a/openviking/server/app.py b/openviking/server/app.py
@@ -186,14 +186,14 @@ async def openviking_error_handler(request: Request, exc: OpenVikingError):
     # Catch-all for unhandled exceptions so clients always get JSON
     @app.exception_handler(Exception)
     async def general_error_handler(request: Request, exc: Exception):
-        logger.warning("Unhandled exception: %s", exc)
+        logger.exception("Unhandled exception")
         return JSONResponse(
             status_code=500,
             content=Response(
                 status="error",
                 error=ErrorInfo(
                     code="INTERNAL",
-                    message=str(exc),
+                    message="Internal server error",
                 ),
             ).model_dump(),
         )
