feat: add contract signing functionality #18
Conversation
github-actions
bot
changed the title
|
This pull request has been translated to English for broader visibility. Original title: Original body: 
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| "status": record.status, | ||
| } | ||
|
|
||
| return JsonResponse(body, status=status) |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
The best fix is to avoid returning the direct message of WithdrawalError to the user. Instead, we should log the exception server-side (including the message and stack trace), and return a generic error message to the client, such as "Withdrawal request could not be processed.". This prevents any sensitive implementation or debugging details from leaking to a potential attacker.
Specifically:
- In the
except WithdrawalError as exc:block, replace the population ofbodyandstatuswith logging the exception and a more generic error response. - Add a logging call to record the exception (with stack trace) for internal troubleshooting.
- (Re-)use the logging instance
loggeralready present in the code. - Do not change the status code unless desired (can leave as 400 for client error).
All changes can be made in points/webhooks.py.
| @@ -56,8 +56,9 @@ | ||
| status = 404 | ||
| body = {"detail": "Signing record not found."} | ||
| except WithdrawalError as exc: | ||
| logger.exception("WithdrawalError processing FaDaDa webhook") | ||
| status = 400 | ||
| body = {"detail": str(exc)} | ||
| body = {"detail": "Withdrawal request could not be processed."} | ||
| except Exception: # pragma: no cover - defensive | ||
| logger.exception("Unhandled error processing FaDaDa webhook") | ||
| status = 500 |
|
Uh oh!
There was an error while loading. Please reload this page.