Skip to content

fix(server): strip stack traces from error responses#154

Closed
ch1lam wants to merge 8 commits into
XiaomiMiMo:mainfrom
ch1lam:fix/error-stack-trace-leak
Closed

fix(server): strip stack traces from error responses#154
ch1lam wants to merge 8 commits into
XiaomiMiMo:mainfrom
ch1lam:fix/error-stack-trace-leak

Conversation

@ch1lam

@ch1lam ch1lam commented Jun 11, 2026

Copy link
Copy Markdown

Summary

  • Use err.message instead of err.stack in the server error handler
  • Prevents leaking internal file paths, dependency versions, and code structure to clients

Motivation

The error handler in packages/opencode/src/server/middleware.ts returned err.stack to the client for unhandled exceptions. Stack traces reveal internal implementation details that aid attackers in reconnaissance.

Changes

// Before
const message = err instanceof Error && err.stack ? err.stack : err.toString()

// After  
const message = err instanceof Error ? err.message : String(err)

The stack trace is still logged server-side via log.error() for debugging purposes.

Fixes #152

qiaozongming and others added 8 commits June 11, 2026 01:23
@qiaozongming
Initial open-source release of MiMo Code
7233b71
@qiaozongming
readme
4ef01a4
@ChuanfengZhang
docs: correct OpenCode repository URL in README files
251e207
@bwshen-mi
Update README
6ce77f0
@bwshen-mi
Merge pull request XiaomiMiMo#20 from ChuanfengZhang/main
9753077 
docs: correct OpenCode repository URL in README files
@qiaozongming
docs: update community group chat QR code
bc9546e
@qiaozongming
Merge pull request XiaomiMiMo#149 from XiaomiMiMo/chore/update-wechat…
e96727a 
…-qrcode

docs: update community group chat QR code
@ch1lam
fix(server): strip stack traces from error responses
007d200 
The error handler returned err.stack to the client for unhandled
exceptions, leaking internal file paths, dependency versions, and
code structure. Use err.message instead — the stack trace is still
logged server-side for debugging.
@qiaozongming qiaozongming force-pushed the main branch 4 times, most recently from 97aefc0 to ab53d06 Compare June 15, 2026 14:00
@MrRealORG MrRealORG mentioned this pull request Jun 16, 2026
Closed
@qiaozongming qiaozongming mentioned this pull request Jun 18, 2026
Closed
@qiaozongming

qiaozongming commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

#952

@qiaozongming qiaozongming mentioned this pull request Jun 18, 2026
Open
@qiaozongming

qiaozongming commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

#1109

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] Server error responses expose full stack traces to clients

5 participants

@ch1lam @qiaozongming @Stole214 @ChuanfengZhang @bwshen-mi