Fix security vulnerabilities

2025-12-20 12:11:17 -05:00 · 2025-10-16 20:01:21 +00:00
parent f176c28df6
commit cdd9e6c8c6
7 changed files with 192 additions and 5 deletions
--- a/supabase/functions/_shared/errorSanitizer.ts
+++ b/supabase/functions/_shared/errorSanitizer.ts
@@ -0,0 +1,103 @@
+/**
+ * Error sanitization utility to prevent information disclosure
+ * Prevents exposing database schema, RLS policies, and internal implementation details
+ */
+
+interface SanitizedError {
+  error: string;
+  code?: string;
+}
+
+const ERROR_PATTERNS: Record<string, string> = {
+  'duplicate key': 'A record with this information already exists',
+  'foreign key': 'Invalid reference to related data',
+  'violates check': 'The provided data does not meet requirements',
+  'not-null': 'Required field is missing',
+  'violates row-level security': 'Access denied',
+  'permission denied': 'Access denied',
+  'authentication': 'Authentication failed',
+  'jwt': 'Authentication failed',
+  'unique constraint': 'This value is already in use',
+  'invalid input syntax': 'Invalid data format',
+  'value too long': 'Value exceeds maximum length',
+  'numeric field overflow': 'Number value is too large',
+};
+
+/**
+ * Sanitizes error messages to prevent information disclosure
+ * Logs full error server-side for debugging
+ */
+export function sanitizeError(error: unknown, context?: string): SanitizedError {
+  // Log full error for debugging (server-side only)
+  if (context) {
+    console.error(`[${context}] Error:`, error);
+  } else {
+    console.error('Error:', error);
+  }
+
+  // Handle non-Error objects
+  if (!error || typeof error !== 'object') {
+    return {
+      error: 'An unexpected error occurred. Please try again.',
+      code: 'UNKNOWN_ERROR'
+    };
+  }
+
+  const errorMessage = (error as Error).message || '';
+  const errorMessageLower = errorMessage.toLowerCase();
+
+  // Check for known patterns
+  for (const [pattern, safeMessage] of Object.entries(ERROR_PATTERNS)) {
+    if (errorMessageLower.includes(pattern.toLowerCase())) {
+      return {
+        error: safeMessage,
+        code: pattern.toUpperCase().replace(/\s+/g, '_')
+      };
+    }
+  }
+
+  // Rate limiting errors
+  if (errorMessageLower.includes('rate limit') || errorMessageLower.includes('too many')) {
+    return {
+      error: 'Too many requests. Please try again later.',
+      code: 'RATE_LIMITED'
+    };
+  }
+
+  // Network/timeout errors
+  if (errorMessageLower.includes('timeout') || errorMessageLower.includes('network')) {
+    return {
+      error: 'Connection error. Please check your internet connection and try again.',
+      code: 'NETWORK_ERROR'
+    };
+  }
+
+  // Default safe error
+  return {
+    error: 'An error occurred while processing your request. Please try again or contact support if the problem persists.',
+    code: 'INTERNAL_ERROR'
+  };
+}
+
+/**
+ * Creates a sanitized error response for edge functions
+ */
+export function createErrorResponse(
+  error: unknown,
+  status: number = 500,
+  corsHeaders: Record<string, string> = {},
+  context?: string
+): Response {
+  const sanitized = sanitizeError(error, context);
+  
+  return new Response(
+    JSON.stringify(sanitized),
+    {
+      status,
+      headers: {
+        ...corsHeaders,
+        'Content-Type': 'application/json'
+      }
+    }
+  );
+}
--- a/supabase/functions/export-user-data/index.ts
+++ b/supabase/functions/export-user-data/index.ts
@@ -1,5 +1,6 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { sanitizeError } from '../_shared/errorSanitizer.ts';

 const corsHeaders = {
  'Access-Control-Allow-Origin': '*',
@@ -278,9 +279,10 @@ serve(async (req) => {

  } catch (error) {
    console.error('[Export] Error:', error);
+    const sanitized = sanitizeError(error, 'export-user-data');
    return new Response(
      JSON.stringify({ 
-        error: error instanceof Error ? error.message : 'An unexpected error occurred',
+        ...sanitized,
        success: false 
      }),
      { status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
--- a/supabase/functions/process-selective-approval/index.ts
+++ b/supabase/functions/process-selective-approval/index.ts
@@ -1,6 +1,7 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
 import { validateEntityData, validateEntityDataStrict } from "./validation.ts";
+import { createErrorResponse } from "../_shared/errorSanitizer.ts";

 const corsHeaders = {
  'Access-Control-Allow-Origin': '*',
@@ -437,9 +438,11 @@ serve(async (req) => {
    );
  } catch (error) {
    console.error('Error in process-selective-approval:', error);
-    return new Response(
-      JSON.stringify({ error: error instanceof Error ? error.message : 'Unknown error' }),
-      { status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
+    return createErrorResponse(
+      error,
+      500,
+      corsHeaders,
+      'process-selective-approval'
    );
  }
 });