Disagreement · 3a9ae97b-anthropic-4

generate_ontology leaks full traceback and exception strings to API clients

solo Opus

repo 193af03f·PR #1·reviewed 1 week ago

Opus finding

generate_ontology leaks full traceback and exception strings to API clients

mediumsecurityhigh

backend/app/api/graph.py:226-232
backend/app/api/graph.py:390-396
backend/app/api/graph.py:449-455
backend/app/api/report.py:215-223

Multiple endpoints in graph.py and report.py return `traceback.format_exc()` directly in 500 responses. This leaks file paths, stack details, and (depending on the underlying error) potentially database URIs, API keys, or other secrets contained in exception messages. This is a generic information-disclosure issue that is widely flagged as a security smell, and it is happening on routes that are unauthenticated.

Recommendation

Log the traceback server-side via logger.exception() and return only a generic error message (or correlation id) to clients in production. Gate the traceback field on Config.DEBUG only.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

highsecurity
Path traversal in ProjectManager via unvalidated project_id
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗