Default ExceptionHandler includes str(exc) into the response to the client:
|
def convert_unhandled_exceptions(self, exc: Exception) -> exceptions.APIException: |
|
""" |
|
Any non-DRF unhandled exception is converted to an APIException which |
|
has a 500 status code. |
|
""" |
|
if not isinstance(exc, exceptions.APIException): |
|
return exceptions.APIException(detail=str(exc)) |
|
else: |
|
return exc |
exc might be an internal error not meant to be displayed to the users. Its message might contain secrets or configuration data.
As an artificial example:
class MyView(APIView):
def post(self, request):
# Raises InternalServiceError("connection refused: http://192.168.100.100:5000")
interval_service.submit(request.data)
return Response()Will respond with the following, leaking the service's host:
{
"type": "server_error",
"errors": [
{
"code": "error",
"detail": "connection refused: http://192.168.100.100:5000",
"attr": null
}
]
}
Default
ExceptionHandlerincludesstr(exc)into the response to the client:drf-standardized-errors/drf_standardized_errors/handler.py
Lines 72 to 80 in 760e5d5
excmight be an internal error not meant to be displayed to the users. Its message might contain secrets or configuration data.As an artificial example:
Will respond with the following, leaking the service's host:
{ "type": "server_error", "errors": [ { "code": "error", "detail": "connection refused: http://192.168.100.100:5000", "attr": null } ] }