Skip to content

fix(chat): replace raw Supabase error.message with generic client response [NSoC'26]#143

Open
anshul23102 wants to merge 1 commit into
Shriii19:masterfrom
anshul23102:fix/138-chat-error-leak
Open

fix(chat): replace raw Supabase error.message with generic client response [NSoC'26]#143
anshul23102 wants to merge 1 commit into
Shriii19:masterfrom
anshul23102:fix/138-chat-error-leak

Conversation

@anshul23102
Copy link
Copy Markdown

@anshul23102 anshul23102 commented May 31, 2026

Description

Both getMessages and sendMessage in chat.controller.js forwarded the raw error.message from Supabase directly to HTTP clients. Supabase errors can include PostgreSQL-level details: table names, column names, constraint names, and error codes. Exposing these helps attackers map the database schema for targeted injection or enumeration attacks.

Related Issue

Closes #138

Type of Change

  • Bug fix (security)

Root Cause

res.status(500).json({ error: error.message }) was used in both handlers without any sanitization. The full error object was not logged server-side in either case.

Changes Made

File Change
backend/controllers/chat.controller.js getMessages: replaced error.message with "Failed to retrieve messages." and added console.error for server-side logging
backend/controllers/chat.controller.js sendMessage: replaced error.message with "Failed to send message." and updated the log label

Screenshots or Demo

Not applicable (backend-only change).

Testing Done

  • A Supabase error in getMessages returns { error: "Failed to retrieve messages." } to the client; the full error appears in server logs.
  • A Supabase error in sendMessage returns { error: "Failed to send message." } to the client.
  • Normal message send and retrieval still work correctly.

Checklist

  • I have read the CONTRIBUTING.md and followed its guidelines
  • My code follows the style and formatting of this project
  • I have tested my changes locally and they work as expected
  • No unnecessary files modified outside the scope of this issue
  • There are no merge conflicts with the base branch
  • This PR is linked to the correct issue
  • I have not used any AI-generated content in this PR

NSoC Label Request

@Shriii19 could you please add the appropriate NSoC '26 label to this PR? Thank you!

@anshul23102
fix(chat): replace raw Supabase error.message with generic client res…
2936f0c 
…ponse [NSoC'26]

Both getMessages and sendMessage forwarded the raw Supabase error.message
directly to HTTP clients. Supabase errors can contain PostgreSQL details
including table names, column names, and constraint names, helping
attackers enumerate the database schema.

Replaced error.message in both responses with a fixed generic string
and moved the full error object to console.error so it is captured in
server logs but never exposed to clients.

Closes Shriii19#138
@vercel
Copy link
Copy Markdown

vercel Bot commented May 31, 2026

@anshul23102 is attempting to deploy a commit to the shreemp194-gmailcom's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 31, 2026

👋 Thank you for opening this pull request! I will review your changes and assist you soon.

@anshul23102 anshul23102 mentioned this pull request May 31, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security][Level 2] backend/controllers/chat.controller.js: Supabase error.message forwarded to clients, leaking internal database details

1 participant

@anshul23102