fix(security #10): sanitize error details to prevent API key leakage

Added server/utils/sanitizeError.js which redacts: - ?apikey= query parameters (SABnzbd passes key in URL) - ?token= query parameters - X-Api-Key / X-MediaBrowser-Token / X-Emby-Authorization header values if they appear in the error message string Applied to all catch blocks in emby.js, sabnzbd.js, sonarr.js, radarr.js, and dashboard.js. Internal error.message still logged server-side (unredacted) for debugging.
2026-05-16 16:22:11 +01:00
parent d8584d0511
commit 8fa20c6990
6 changed files with 36 additions and 16 deletions
--- a/server/utils/sanitizeError.js
+++ b/server/utils/sanitizeError.js
@@ -0,0 +1,15 @@
+const API_KEY_PATTERN = /([?&]apikey=)[^&\s]*/gi;
+const TOKEN_PATTERN = /([?&]token=)[^&\s]*/gi;
+const HEADER_PATTERN = /x-(?:api-key|mediabrowser-token|emby-authorization):[^\s,]*/gi;
+
+function sanitizeError(err) {
+  let msg = err.message || String(err);
+  // Redact API keys in URLs (SABnzbd passes apikey as query param)
+  msg = msg.replace(API_KEY_PATTERN, '$1[REDACTED]');
+  msg = msg.replace(TOKEN_PATTERN, '$1[REDACTED]');
+  // Redact auth header values if they appear in the message
+  msg = msg.replace(HEADER_PATTERN, (m) => m.split(':')[0] + ':[REDACTED]');
+  return msg;
+}
+
+module.exports = sanitizeError;