From f8c6c8f7ccee57ac16b5d13cba398a967b92706d Mon Sep 17 00:00:00 2001 From: sajdakabir Date: Wed, 22 Apr 2026 13:06:22 +0530 Subject: [PATCH] fix: stop leaking Drizzle SQL queries in webhook error responses (#4276) --- apps/dokploy/pages/api/deploy/[refreshToken].ts | 16 +++++++++++++--- .../pages/api/deploy/compose/[refreshToken].ts | 8 +++++--- apps/dokploy/pages/api/deploy/github.ts | 15 +++++++++------ 3 files changed, 27 insertions(+), 12 deletions(-) diff --git a/apps/dokploy/pages/api/deploy/[refreshToken].ts b/apps/dokploy/pages/api/deploy/[refreshToken].ts index 1a99c3a8e..bb6eb06d3 100644 --- a/apps/dokploy/pages/api/deploy/[refreshToken].ts +++ b/apps/dokploy/pages/api/deploy/[refreshToken].ts @@ -12,6 +12,15 @@ import type { DeploymentJob } from "@/server/queues/queue-types"; import { myQueue } from "@/server/queues/queueSetup"; import { deploy } from "@/server/utils/deploy"; +/** + * Log a webhook handler error server-side without leaking its shape to the HTTP + * response. Drizzle errors carry the raw SQL query, column list and parameters, + * so we never forward the error object to the client. + */ +export const logWebhookError = (context: string, error: unknown) => { + console.error(context, error); +}; + /** * Helper function to get package_version from registry_package events */ @@ -262,14 +271,15 @@ export default async function handler( ); } } catch (error) { - res.status(400).json({ message: "Error deploying Application", error }); + logWebhookError("Error deploying Application:", error); + res.status(400).json({ message: "Error deploying Application" }); return; } res.status(200).json({ message: "Application deployed successfully" }); } catch (error) { - console.log(error); - res.status(400).json({ message: "Error deploying Application", error }); + logWebhookError("Error deploying Application:", error); + res.status(400).json({ message: "Error deploying Application" }); } } diff --git a/apps/dokploy/pages/api/deploy/compose/[refreshToken].ts b/apps/dokploy/pages/api/deploy/compose/[refreshToken].ts index 640a2531d..85a379eb3 100644 --- a/apps/dokploy/pages/api/deploy/compose/[refreshToken].ts +++ b/apps/dokploy/pages/api/deploy/compose/[refreshToken].ts @@ -12,6 +12,7 @@ import { extractCommittedPaths, extractHash, getProviderByHeader, + logWebhookError, } from "../[refreshToken]"; export default async function handler( @@ -195,13 +196,14 @@ export default async function handler( ); } } catch (error) { - res.status(400).json({ message: "Error deploying Compose", error }); + logWebhookError("Error deploying Compose:", error); + res.status(400).json({ message: "Error deploying Compose" }); return; } res.status(200).json({ message: "Compose deployed successfully" }); } catch (error) { - console.log(error); - res.status(400).json({ message: "Error deploying Compose", error }); + logWebhookError("Error deploying Compose:", error); + res.status(400).json({ message: "Error deploying Compose" }); } } diff --git a/apps/dokploy/pages/api/deploy/github.ts b/apps/dokploy/pages/api/deploy/github.ts index 4438366f6..293207198 100644 --- a/apps/dokploy/pages/api/deploy/github.ts +++ b/apps/dokploy/pages/api/deploy/github.ts @@ -17,7 +17,11 @@ import { applications, compose, github } from "@/server/db/schema"; import type { DeploymentJob } from "@/server/queues/queue-types"; import { myQueue } from "@/server/queues/queueSetup"; import { deploy } from "@/server/utils/deploy"; -import { extractCommitMessage, extractHash } from "./[refreshToken]"; +import { + extractCommitMessage, + extractHash, + logWebhookError, +} from "./[refreshToken]"; export default async function handler( req: NextApiRequest, @@ -197,10 +201,8 @@ export default async function handler( }); return; } catch (error) { - console.error("Error deploying applications on tag:", error); - res - .status(400) - .json({ message: "Error deploying applications on tag", error }); + logWebhookError("Error deploying applications on tag:", error); + res.status(400).json({ message: "Error deploying applications on tag" }); return; } } @@ -322,7 +324,8 @@ export default async function handler( } res.status(200).json({ message: `Deployed ${totalApps} apps` }); } catch (error) { - res.status(400).json({ message: "Error deploying Application", error }); + logWebhookError("Error deploying Application:", error); + res.status(400).json({ message: "Error deploying Application" }); } } else if (req.headers["x-github-event"] === "pull_request") { const prId = githubBody?.pull_request?.id;