Receipt · f1b5393a-0

Health endpoint exposes operational details (env var presence, raw DB error messages) to unauthenticated callers

securityhighclosed in 4640404closed in 28 minutes

repo ab4e09bc·PR #3·reviewed 3 hours ago·2 hours ago

The finding

apps/web/app/api/health/route.ts:5-11
apps/web/app/api/health/route.ts:37-41
apps/web/app/api/health/route.ts:47-51
apps/web/app/api/health/route.ts:55-58

The health endpoint is publicly accessible and intended for external uptime checks. It returns a detailed JSON payload that includes an explicit list of missing environment variable names and a raw database error message. DB error messages can reveal internal infrastructure details (hosts, driver info) and the env.missing array confirms which secrets are configured. This is unnecessary information disclosure for unauthenticated callers and increases the attack surface. A minimal health check should avoid leaking internal state beyond an overall status code or a simple boolean, or require authentication for detailed diagnostics.

Fix

For unauthenticated requests in production, limit the response to a simple status (e.g., { ok: boolean } or just HTTP 200/503) and omit fields like env.missing and db.error. Optionally gate detailed diagnostics behind authentication (e.g., require a secret header, signed token, or internal allowlist), or only include details in non-production environments. At minimum, sanitize/replace DB error messages with a generic string and avoid enumerating missing env vars to the public.

Agent attribution

The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.

anthropic

gpt-5

27.8s · error

openai

claude-opus-4-7

35.9s · error

Total

wall-clock review time · est. inference cost

35.9s · $0.40

Sweeper

closed at SHA 4640404

closed in 28 minutes

internal review id · f1b5393a

Third-party witnesses

Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.

Closure receipt comment
https://github.com/Augustas11/antfleet/pull/3#issuecomment-4468759835
Original review comment
https://github.com/Augustas11/antfleet/pull/3#issuecomment-4468704021
The pull request
https://github.com/Augustas11/antfleet/pull/3

← back to all receipts