Skip to content

fix: prevent internal error.message leakage in incidents webhook handler#2591

Open
tmdeveloper007 wants to merge 1 commit into
nisshchayarathi:mainfrom
tmdeveloper007:fix-incidents-error-leak
Open

fix: prevent internal error.message leakage in incidents webhook handler#2591
tmdeveloper007 wants to merge 1 commit into
nisshchayarathi:mainfrom
tmdeveloper007:fix-incidents-error-leak

Conversation

@tmdeveloper007

Copy link
Copy Markdown
Contributor

Summary

Fixes an internal error detail leakage vulnerability in the incidents webhook handler. In production (NODE_ENV !== "development"), the raw error.message is no longer returned to clients. Only a generic "Internal server error" message is exposed.

Issue

Addresses error message exposure in app/api/integrations/incidents/webhook/route.ts.

Changes

  • Changed error handler to check process.env.NODE_ENV before returning error details
  • In development: full error.message is returned (for debugging)
  • In production: returns "Internal server error"
  • Full error is still logged to server console for debugging

Security Impact

Prevents internal error details (stack traces, file paths, dependency versions) from being exposed to unauthenticated webhook callers in production.

Files Changed

  • app/api/integrations/incidents/webhook/route.ts

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the Nisshchaya's projects Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@tmdeveloper007, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 55 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9a0969d2-b38f-46cc-bb05-fb3048071150

📥 Commits

Reviewing files that changed from the base of the PR and between 07ceab7 and 2f2072a.

📒 Files selected for processing (1)
  • app/api/integrations/incidents/webhook/route.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the gssoc:spam GSSoC: Spam contribution label Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

⚠️ GSSoC Quality Check Failed — PR #2591

Hi @tmdeveloper007! 👋 Your PR has been flagged by our automated GSSoC quality check.

Issues found:

  • 📏 Trivially small change — Only 3 line(s) changed in 1 file. Changes this small are almost never meaningful contributions. Make sure your PR solves a real issue.
  • 🔗 No linked issue — Every PR must be linked to an open issue. Add closes #<issue-number> or fixes #<issue-number> in your description so maintainers know what this PR resolves.

✅ How to fix this

  1. Read the issues listed above carefully
  2. Edit your PR title and description to address them
  3. Make sure your PR is linked to an open issue using closes #<issue-number>
  4. Make sure your changes are meaningful and solve a real problem

Once you've fixed these, a maintainer will review and remove the flag. If you believe this is a mistake, please comment below. 🙏

GSSoC'26 automation · Maintainer: @nisshchayarathi

@tmdeveloper007

Copy link
Copy Markdown
Contributor Author

CodeRabbit review is passing. The Vercel deployment check requires authorization from the repository maintainer (@nisshchayarathi) — please visit your Vercel project settings and authorize the GitVerse GitHub App to enable deployments for this fork. Happy to help if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc:spam GSSoC: Spam contribution

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant