Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| data = [rollout.model_dump(mode="json") for rollout in rollouts] | ||
| yield f"data: {json.dumps(data)}\n\n" | ||
|
|
||
| return StreamingResponse(event_stream(), media_type="text/event-stream") |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To address the information exposure problem, we should prevent returning detailed exception information to external users. Instead, only a generic error message should be sent, such as "An internal error has occurred". The detailed exception information (including potentially the stack trace) should be logged server-side using the logging module or similar tooling.
Steps:
- In the
event_stream()function, replace the use ofstr(exc)in the yielded SSE data with a generic error string. - Log the detailed exception and stack trace using
logger.error(traceback.format_exc())or equivalent. - Do not change any application logic except for the error reporting in the SSE stream; maintain existing behavior and error-handling structure.
The required edits are confined to the relevant block in the shown code within agentlightning/store/client_server.py.
| @@ -363,7 +363,8 @@ | ||
| timeout=payload.timeout, | ||
| ) | ||
| except Exception as exc: # pragma: no cover - surfaced via SSE | ||
| error_payload = {"error": str(exc)} | ||
| logger.error("Exception in wait_for_rollouts SSE", exc_info=True) | ||
| error_payload = {"error": "An internal error has occurred."} | ||
| yield "event: error\n" | ||
| yield f"data: {json.dumps(error_payload)}\n\n" | ||
| return |
|
/ci |
|
✅ CI retrigger requested by @ultmaster. Closed & reopened the PR to fire |
2 participants
Summary
Testing
https://chatgpt.com/codex/tasks/task_e_68fa5a8534b4832eb5385a9bbfe33194