-
Notifications
You must be signed in to change notification settings - Fork 0
fix: stop leaking raw upstream body in NetworkException (#41) #43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,16 +8,20 @@ public PostGuardException(string message, Exception inner) : base(message, inner | |
|
|
||
| public class NetworkException : PostGuardException | ||
| { | ||
| // Raw upstream response body, retained for diagnostics only. Kept private | ||
| // so it is never surfaced in the exception message or via a public property, | ||
| // where it could leak sensitive upstream data into logs. See issue #41. | ||
| private readonly string _body; | ||
|
|
||
| public int StatusCode { get; } | ||
| public string Body { get; } | ||
| public string Url { get; } | ||
|
|
||
| public NetworkException(int statusCode, string body, string url) | ||
| : base($"HTTP {statusCode} at {url}: {body}") | ||
| : base($"HTTP {statusCode} received from upstream service") | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removing the public |
||
| { | ||
| StatusCode = statusCode; | ||
| Body = body; | ||
| Url = url; | ||
| _body = body; | ||
| } | ||
| } | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The private
_bodyfield is assigned in the ctor but never read anywhere — no accessor, method, orToString()override consumes it — so the "retained for diagnostics" comment is misleading: it provides no diagnostic access and only keeps the sensitive upstream body alive on the exception object. This is acceptable because the task explicitly asked to "store it in a private field," so no change is required, but as written it is effectively dead storage. If diagnostic access is genuinely wanted, expose it through a redacted/internal accessor; otherwise the comment could be trimmed. (Build stays clean — assigned from a ctor param, so no CS0414.)