From 5d8ec384747fd131a70a47f780f667620a350b72 Mon Sep 17 00:00:00 2001 From: Marcel Date: Sun, 7 Jun 2026 15:46:24 +0200 Subject: [PATCH] fix(nlp-service): return generic 500 detail to prevent credential leakage Co-Authored-By: Claude Sonnet 4.6 --- nlp-service/main.py | 2 +- nlp-service/test_main.py | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/nlp-service/main.py b/nlp-service/main.py index 7163c8ac..3894cca0 100644 --- a/nlp-service/main.py +++ b/nlp-service/main.py @@ -50,4 +50,4 @@ def parse(request: ParseRequest) -> ParseResponse: try: return extract(request.query, request.lang) except Exception as exc: - raise HTTPException(status_code=500, detail=str(exc)) from exc + raise HTTPException(status_code=500, detail="internal error") from exc diff --git a/nlp-service/test_main.py b/nlp-service/test_main.py index 0b169c34..f02f3c03 100644 --- a/nlp-service/test_main.py +++ b/nlp-service/test_main.py @@ -79,3 +79,17 @@ def test_parse_all_languages(client): r = client.post("/parse", json={"query": query, "lang": lang}) assert r.status_code == 200, f"Failed for lang={lang}" assert r.json()["dateTo"] == "1920-12-31", f"Wrong dateTo for lang={lang}" + + +def test_parse_internal_exception_does_not_leak_detail(client, monkeypatch): + """500 errors must return generic message — never expose internal details.""" + import main as main_module + + def _boom(query, lang): + raise RuntimeError("postgresql://archive_user:s3cr3t@db:5432/family_archive_db") + + monkeypatch.setattr(main_module, "extract", _boom) + r = client.post("/parse", json={"query": "test", "lang": "de"}) + assert r.status_code == 500 + assert "s3cr3t" not in r.text + assert r.json()["detail"] == "internal error"