From ed9c2a39d15be9cb9335ec3b2a24b34d9282c395 Mon Sep 17 00:00:00 2001 From: Jared Vititoe Date: Fri, 30 Jan 2026 18:56:29 -0500 Subject: [PATCH] Fix error message disclosure in API endpoints Replace exception getMessage() exposure with generic error messages to prevent internal information disclosure. Errors are now logged with full details while clients receive sanitized responses. Affected endpoints: - add_comment, update_comment, delete_comment - update_ticket, export_tickets - generate_api_key, revoke_api_key - manage_templates, manage_workflows, manage_recurring - custom_fields, get_users Co-Authored-By: Claude Opus 4.5 --- api/add_comment.php | 7 +++++-- api/custom_fields.php | 3 ++- api/delete_comment.php | 3 ++- api/export_tickets.php | 3 ++- api/generate_api_key.php | 3 ++- api/get_users.php | 3 ++- api/manage_recurring.php | 3 ++- api/manage_templates.php | 6 ++++-- api/manage_workflows.php | 6 ++++-- api/revoke_api_key.php | 3 ++- api/update_comment.php | 3 ++- api/update_ticket.php | 7 +++++-- 12 files changed, 34 insertions(+), 16 deletions(-) diff --git a/api/add_comment.php b/api/add_comment.php index ec4ce0d..1d9466a 100644 --- a/api/add_comment.php +++ b/api/add_comment.php @@ -116,11 +116,14 @@ try { } catch (Exception $e) { // Discard any unexpected output ob_end_clean(); - + + // Log error details but don't expose to client + error_log("Add comment API error: " . $e->getMessage()); + // Return error response header('Content-Type: application/json'); echo json_encode([ 'success' => false, - 'error' => $e->getMessage() + 'error' => 'An internal error occurred' ]); } \ No newline at end of file diff --git a/api/custom_fields.php b/api/custom_fields.php index 8b08e7c..689170e 100644 --- a/api/custom_fields.php +++ b/api/custom_fields.php @@ -97,6 +97,7 @@ try { } } catch (Exception $e) { + error_log("Custom fields API error: " . $e->getMessage()); http_response_code(500); - echo json_encode(['success' => false, 'error' => $e->getMessage()]); + echo json_encode(['success' => false, 'error' => 'An internal error occurred']); } diff --git a/api/delete_comment.php b/api/delete_comment.php index 386c3ce..ea172b3 100644 --- a/api/delete_comment.php +++ b/api/delete_comment.php @@ -89,9 +89,10 @@ try { } catch (Exception $e) { ob_end_clean(); + error_log("Delete comment API error: " . $e->getMessage()); header('Content-Type: application/json'); echo json_encode([ 'success' => false, - 'error' => $e->getMessage() + 'error' => 'An internal error occurred' ]); } diff --git a/api/export_tickets.php b/api/export_tickets.php index 30d1d05..0e33b8e 100644 --- a/api/export_tickets.php +++ b/api/export_tickets.php @@ -157,10 +157,11 @@ try { } } catch (Exception $e) { + error_log("Export tickets API error: " . $e->getMessage()); header('Content-Type: application/json'); http_response_code(500); echo json_encode([ 'success' => false, - 'error' => $e->getMessage() + 'error' => 'An internal error occurred' ]); } diff --git a/api/generate_api_key.php b/api/generate_api_key.php index 7b9baa0..22068ee 100644 --- a/api/generate_api_key.php +++ b/api/generate_api_key.php @@ -108,10 +108,11 @@ try { } catch (Exception $e) { ob_end_clean(); + error_log("Generate API key error: " . $e->getMessage()); header('Content-Type: application/json'); http_response_code(isset($conn) ? 400 : 500); echo json_encode([ 'success' => false, - 'error' => $e->getMessage() + 'error' => 'An internal error occurred' ]); } diff --git a/api/get_users.php b/api/get_users.php index 37b1743..897c0aa 100644 --- a/api/get_users.php +++ b/api/get_users.php @@ -42,6 +42,7 @@ try { echo json_encode(['success' => true, 'users' => $users]); } catch (Exception $e) { + error_log("Get users API error: " . $e->getMessage()); http_response_code(500); - echo json_encode(['success' => false, 'error' => $e->getMessage()]); + echo json_encode(['success' => false, 'error' => 'An internal error occurred']); } diff --git a/api/manage_recurring.php b/api/manage_recurring.php index fed1be8..c77c9a7 100644 --- a/api/manage_recurring.php +++ b/api/manage_recurring.php @@ -124,8 +124,9 @@ try { } } catch (Exception $e) { + error_log("Recurring tickets API error: " . $e->getMessage()); http_response_code(500); - echo json_encode(['success' => false, 'error' => $e->getMessage()]); + echo json_encode(['success' => false, 'error' => 'An internal error occurred']); } function calculateNextRun($scheduleType, $scheduleDay, $scheduleTime) { diff --git a/api/manage_templates.php b/api/manage_templates.php index 0690cb2..0218f48 100644 --- a/api/manage_templates.php +++ b/api/manage_templates.php @@ -89,7 +89,8 @@ try { if ($stmt->execute()) { echo json_encode(['success' => true, 'template_id' => $conn->insert_id]); } else { - echo json_encode(['success' => false, 'error' => $stmt->error]); + error_log("Template creation failed: " . $stmt->error); + echo json_encode(['success' => false, 'error' => 'Failed to create template']); } $stmt->close(); break; @@ -139,6 +140,7 @@ try { } } catch (Exception $e) { + error_log("Template API error: " . $e->getMessage()); http_response_code(500); - echo json_encode(['success' => false, 'error' => $e->getMessage()]); + echo json_encode(['success' => false, 'error' => 'An internal error occurred']); } diff --git a/api/manage_workflows.php b/api/manage_workflows.php index 558862d..812cc81 100644 --- a/api/manage_workflows.php +++ b/api/manage_workflows.php @@ -103,7 +103,8 @@ try { echo json_encode(['success' => true, 'transition_id' => $transitionId]); } else { - echo json_encode(['success' => false, 'error' => $stmt->error]); + error_log("Workflow creation failed: " . $stmt->error); + echo json_encode(['success' => false, 'error' => 'Failed to create workflow transition']); } $stmt->close(); break; @@ -180,6 +181,7 @@ try { } } catch (Exception $e) { + error_log("Workflow API error: " . $e->getMessage()); http_response_code(500); - echo json_encode(['success' => false, 'error' => $e->getMessage()]); + echo json_encode(['success' => false, 'error' => 'An internal error occurred']); } diff --git a/api/revoke_api_key.php b/api/revoke_api_key.php index fe22bb5..3bb32bc 100644 --- a/api/revoke_api_key.php +++ b/api/revoke_api_key.php @@ -101,10 +101,11 @@ try { } catch (Exception $e) { ob_end_clean(); + error_log("Revoke API key error: " . $e->getMessage()); header('Content-Type: application/json'); http_response_code(isset($conn) ? 400 : 500); echo json_encode([ 'success' => false, - 'error' => $e->getMessage() + 'error' => 'An internal error occurred' ]); } diff --git a/api/update_comment.php b/api/update_comment.php index bbcabb7..28558f8 100644 --- a/api/update_comment.php +++ b/api/update_comment.php @@ -86,9 +86,10 @@ try { } catch (Exception $e) { ob_end_clean(); + error_log("Update comment API error: " . $e->getMessage()); header('Content-Type: application/json'); echo json_encode([ 'success' => false, - 'error' => $e->getMessage() + 'error' => 'An internal error occurred' ]); } diff --git a/api/update_ticket.php b/api/update_ticket.php index 482e38b..cd9d131 100644 --- a/api/update_ticket.php +++ b/api/update_ticket.php @@ -315,13 +315,16 @@ try { } catch (Exception $e) { // Discard any output that might have been generated ob_end_clean(); - + + // Log error details but don't expose to client + error_log("Update ticket API error: " . $e->getMessage()); + // Return error response header('Content-Type: application/json'); http_response_code(500); echo json_encode([ 'success' => false, - 'error' => $e->getMessage() + 'error' => 'An internal error occurred' ]); } ?> \ No newline at end of file