From 3d6ebc9522c746edc8bf2c40fb8e6e2dc4fdc171 Mon Sep 17 00:00:00 2001
From: Andrew Nesbitt <andrewnez@gmail.com>
Date: Thu, 12 Mar 2026 12:01:29 +0000
Subject: [PATCH] Stop leaking internal error messages in API and health
 responses

Replace err.Error() in HTTP error responses with generic messages.
Internal details like database driver errors and enrichment failures
were being sent directly to clients.
---
 internal/server/api.go    | 10 +++++-----
 internal/server/server.go |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/internal/server/api.go b/internal/server/api.go
index 28b16e5..a46e0aa 100644
--- a/internal/server/api.go
+++ b/internal/server/api.go
@@ -161,7 +161,7 @@ func (h *APIHandler) HandleGetPackage(w http.ResponseWriter, r *http.Request) {
 
 	info, err := h.enrichment.EnrichPackage(r.Context(), ecosystem, name)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, "failed to enrich package", http.StatusInternalServerError)
 		return
 	}
 
@@ -209,7 +209,7 @@ func (h *APIHandler) HandleGetVersion(w http.ResponseWriter, r *http.Request) {
 
 	result, err := h.enrichment.EnrichFull(r.Context(), ecosystem, name, version)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, "failed to enrich version", http.StatusInternalServerError)
 		return
 	}
 
@@ -291,7 +291,7 @@ func (h *APIHandler) HandleGetVulns(w http.ResponseWriter, r *http.Request) {
 
 	vulns, err := h.enrichment.CheckVulnerabilities(r.Context(), ecosystem, name, version)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, "failed to check vulnerabilities", http.StatusInternalServerError)
 		return
 	}
 
@@ -485,7 +485,7 @@ func (h *APIHandler) HandleSearch(w http.ResponseWriter, r *http.Request) {
 	// Search in database
 	results, err := h.db.SearchPackages(query, ecosystem, limit, (page-1)*limit)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, "search failed", http.StatusInternalServerError)
 		return
 	}
 
@@ -592,7 +592,7 @@ func (h *APIHandler) HandlePackagesList(w http.ResponseWriter, r *http.Request)
 
 	packages, err := h.db.ListCachedPackages(ecosystem, sortBy, limit, (page-1)*limit)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, "failed to list packages", http.StatusInternalServerError)
 		return
 	}
 
diff --git a/internal/server/server.go b/internal/server/server.go
index 58cdc07..19eb468 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -686,7 +686,7 @@ func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
 	// Check database connectivity
 	if _, err := s.db.SchemaVersion(); err != nil {
 		w.WriteHeader(http.StatusServiceUnavailable)
-		_, _ = fmt.Fprintf(w, "database error: %v", err)
+		_, _ = fmt.Fprint(w, "database error")
 		return
 	}