Problem
When an upstream provider returns an HTTP 4xx/5xx error, the proxy forwards the raw JSON response body directly to the proxy user without any sanitization.
Affected locations in crates/nyro-core/src/proxy/handler.rs:
- Line 779-781:
Json(resp) returns raw upstream error body
- Lines 764, 907, 1081:
format!("upstream error: {e}") exposes internal error details
- Lines 194: same pattern in embeddings proxy
Why this is a problem
Some upstream providers echo credential fragments in error messages. For example, OpenAI returns:
Incorrect API key provided: sk-proj-abc...xyz. You can find your API key at https://platform.openai.com/account/api-keys.
This means a proxy user can learn the operator's API key prefix/suffix when the upstream returns an auth error.
Exploit scenario
- Proxy is configured with the operator's OpenAI API key
- The key expires or is revoked
- A proxy user sends a request; upstream returns 401 with partial key in the error message
- The gateway forwards this error verbatim to the proxy user
Recommendation
Sanitize upstream error responses before returning to proxy users. Return a generic gateway error and log the raw upstream error server-side only.
Problem
When an upstream provider returns an HTTP 4xx/5xx error, the proxy forwards the raw JSON response body directly to the proxy user without any sanitization.
Affected locations in
crates/nyro-core/src/proxy/handler.rs:Json(resp)returns raw upstream error bodyformat!("upstream error: {e}")exposes internal error detailsWhy this is a problem
Some upstream providers echo credential fragments in error messages. For example, OpenAI returns:
This means a proxy user can learn the operator's API key prefix/suffix when the upstream returns an auth error.
Exploit scenario
Recommendation
Sanitize upstream error responses before returning to proxy users. Return a generic gateway error and log the raw upstream error server-side only.