Sensitive API error responses exposed to users

[tembo]

Security Vulnerability Report

Severity: Low

Vulnerability Type: Information Disclosure

Affected Files and Lines

• src/services/typefully.ts - Line 48

Code Snippet

if (!response.ok) {
  const errorText = await response.text();
  throw new Error(`Typefully API error (${response.status}): ${errorText}`);
}

Description

The error response from Typefully API is displayed directly to the user. If the API returns error messages containing sensitive information (API limits, internal IDs, rate limit details, etc.), this data would be exposed to the user and could leak into logs or error reporting.

Impact

• Internal API details could be exposed
• Rate limit information could help attackers time their attacks
• Error messages might contain sensitive implementation details

Recommended Fix

if (!response.ok) {
  const errorText = await response.text();
  if (response.status === 401) {
    throw new Error('Typefully API authentication failed. Check your TYPEFULLY_API_KEY.');
  } else if (response.status === 429) {
    throw new Error('Typefully API rate limit reached. Please try again later.');
  } else {
    // Log full response for debugging, but show generic message to user
    logger.debug(`Typefully API error (${response.status}): ${errorText}`);
    throw new Error(`Typefully API error (${response.status}). Please check your API key and try again.`);
  }
}

References

• OWASP - Error Handling

[tembo]

Good catch. The codebase already has an established pattern for this in src/services/x-api.ts:29-58 with the handleApiError function that handles 401, 403, and 429 cases with user-friendly messages.

A few notes for implementation:

1. The suggested fix uses logger.debug() but the current logger at src/utils/logger.ts doesn't have a debug method - you'd either need to add one or use a different approach for logging the raw response.

2. Consider following the existing handleApiError pattern from x-api.ts which provides helpful context like:

// 401/403 handling suggests remediation steps
throw new Error(
  `Typefully API authentication error (${error.code})\n` +
  `   Check your TYPEFULLY_API_KEY in .env or environment`
);

3. Since this is a CLI tool, raw API errors shown in terminal aren't as risky as web-facing apps, but sanitizing them is still good practice for cleaner UX and avoiding confusion from verbose API responses.