LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix error message disclosure in API endpoints

Browse Source 
Replace exception getMessage() exposure with generic error messages
to prevent internal information disclosure. Errors are now logged
with full details while clients receive sanitized responses.

Affected endpoints:
- add_comment, update_comment, delete_comment
- update_ticket, export_tickets
- generate_api_key, revoke_api_key
- manage_templates, manage_workflows, manage_recurring
- custom_fields, get_users

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-01-30 18:56:29 -05:00
parent 5b2a2c271e
commit ed9c2a39d1
12 changed files with 34 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
api/add_comment.php
View File

@@ -116,11 +116,14 @@ try {
} catch (Exception $e) { } catch (Exception $e) {
// Discard any unexpected output // Discard any unexpected output
ob_end_clean(); ob_end_clean();
// Log error details but don't expose to client
error_log("Add comment API error: " . $e->getMessage());
// Return error response // Return error response
header('Content-Type: application/json'); header('Content-Type: application/json');
echo json_encode([ echo json_encode([
'success' => false, 'success' => false,
'error' => $e->getMessage() 'error' => 'An internal error occurred'
]); ]);
} }

3
api/custom_fields.php
View File

@@ -97,6 +97,7 @@ try {
} }
} catch (Exception $e) { } catch (Exception $e) {
error_log("Custom fields API error: " . $e->getMessage());
http_response_code(500); http_response_code(500);
echo json_encode(['success' => false, 'error' => $e->getMessage()]); echo json_encode(['success' => false, 'error' => 'An internal error occurred']);
} }

3
api/delete_comment.php
View File

@@ -89,9 +89,10 @@ try {
} catch (Exception $e) { } catch (Exception $e) {
ob_end_clean(); ob_end_clean();
error_log("Delete comment API error: " . $e->getMessage());
header('Content-Type: application/json'); header('Content-Type: application/json');
echo json_encode([ echo json_encode([
'success' => false, 'success' => false,
'error' => $e->getMessage() 'error' => 'An internal error occurred'
]); ]);
} }

3
api/export_tickets.php
View File

@@ -157,10 +157,11 @@ try {
} }
} catch (Exception $e) { } catch (Exception $e) {
error_log("Export tickets API error: " . $e->getMessage());
header('Content-Type: application/json'); header('Content-Type: application/json');
http_response_code(500); http_response_code(500);
echo json_encode([ echo json_encode([
'success' => false, 'success' => false,
'error' => $e->getMessage() 'error' => 'An internal error occurred'
]); ]);
} }

3
api/generate_api_key.php
View File

@@ -108,10 +108,11 @@ try {
} catch (Exception $e) { } catch (Exception $e) {
ob_end_clean(); ob_end_clean();
error_log("Generate API key error: " . $e->getMessage());
header('Content-Type: application/json'); header('Content-Type: application/json');
http_response_code(isset($conn) ? 400 : 500); http_response_code(isset($conn) ? 400 : 500);
echo json_encode([ echo json_encode([
'success' => false, 'success' => false,
'error' => $e->getMessage() 'error' => 'An internal error occurred'
]); ]);
} }

3
api/get_users.php
View File

@@ -42,6 +42,7 @@ try {
echo json_encode(['success' => true, 'users' => $users]); echo json_encode(['success' => true, 'users' => $users]);
} catch (Exception $e) { } catch (Exception $e) {
error_log("Get users API error: " . $e->getMessage());
http_response_code(500); http_response_code(500);
echo json_encode(['success' => false, 'error' => $e->getMessage()]); echo json_encode(['success' => false, 'error' => 'An internal error occurred']);
} }

3
api/manage_recurring.php
View File

@@ -124,8 +124,9 @@ try {
} }
} catch (Exception $e) { } catch (Exception $e) {
error_log("Recurring tickets API error: " . $e->getMessage());
http_response_code(500); http_response_code(500);
echo json_encode(['success' => false, 'error' => $e->getMessage()]); echo json_encode(['success' => false, 'error' => 'An internal error occurred']);
} }
function calculateNextRun($scheduleType, $scheduleDay, $scheduleTime) { function calculateNextRun($scheduleType, $scheduleDay, $scheduleTime) {

6
api/manage_templates.php
View File

@@ -89,7 +89,8 @@ try {
if ($stmt->execute()) { if ($stmt->execute()) {
echo json_encode(['success' => true, 'template_id' => $conn->insert_id]); echo json_encode(['success' => true, 'template_id' => $conn->insert_id]);
} else { } else {
echo json_encode(['success' => false, 'error' => $stmt->error]); error_log("Template creation failed: " . $stmt->error);
echo json_encode(['success' => false, 'error' => 'Failed to create template']);
} }
$stmt->close(); $stmt->close();
break; break;
@@ -139,6 +140,7 @@ try {
} }
} catch (Exception $e) { } catch (Exception $e) {
error_log("Template API error: " . $e->getMessage());
http_response_code(500); http_response_code(500);
echo json_encode(['success' => false, 'error' => $e->getMessage()]); echo json_encode(['success' => false, 'error' => 'An internal error occurred']);
} }

6
api/manage_workflows.php
View File

@@ -103,7 +103,8 @@ try {
echo json_encode(['success' => true, 'transition_id' => $transitionId]); echo json_encode(['success' => true, 'transition_id' => $transitionId]);
} else { } else {
echo json_encode(['success' => false, 'error' => $stmt->error]); error_log("Workflow creation failed: " . $stmt->error);
echo json_encode(['success' => false, 'error' => 'Failed to create workflow transition']);
} }
$stmt->close(); $stmt->close();
break; break;
@@ -180,6 +181,7 @@ try {
} }
} catch (Exception $e) { } catch (Exception $e) {
error_log("Workflow API error: " . $e->getMessage());
http_response_code(500); http_response_code(500);
echo json_encode(['success' => false, 'error' => $e->getMessage()]); echo json_encode(['success' => false, 'error' => 'An internal error occurred']);
} }

3
api/revoke_api_key.php
View File

@@ -101,10 +101,11 @@ try {
} catch (Exception $e) { } catch (Exception $e) {
ob_end_clean(); ob_end_clean();
error_log("Revoke API key error: " . $e->getMessage());
header('Content-Type: application/json'); header('Content-Type: application/json');
http_response_code(isset($conn) ? 400 : 500); http_response_code(isset($conn) ? 400 : 500);
echo json_encode([ echo json_encode([
'success' => false, 'success' => false,
'error' => $e->getMessage() 'error' => 'An internal error occurred'
]); ]);
} }

3
api/update_comment.php
View File

@@ -86,9 +86,10 @@ try {
} catch (Exception $e) { } catch (Exception $e) {
ob_end_clean(); ob_end_clean();
error_log("Update comment API error: " . $e->getMessage());
header('Content-Type: application/json'); header('Content-Type: application/json');
echo json_encode([ echo json_encode([
'success' => false, 'success' => false,
'error' => $e->getMessage() 'error' => 'An internal error occurred'
]); ]);
} }

7
api/update_ticket.php
View File

@@ -315,13 +315,16 @@ try {
} catch (Exception $e) { } catch (Exception $e) {
// Discard any output that might have been generated // Discard any output that might have been generated
ob_end_clean(); ob_end_clean();
// Log error details but don't expose to client
error_log("Update ticket API error: " . $e->getMessage());
// Return error response // Return error response
header('Content-Type: application/json'); header('Content-Type: application/json');
http_response_code(500); http_response_code(500);
echo json_encode([ echo json_encode([
'success' => false, 'success' => false,
'error' => $e->getMessage() 'error' => 'An internal error occurred'
]); ]);
} }
?> ?>