Codeql : Fix to remove exception details from the response (#10671)

namanimsft · web-flow · commit 239f8fcc9643 · 2025-01-15T15:52:38.000-06:00
diff --git a/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs b/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
@@ -464,8 +464,7 @@ protected Task<HttpResponseMessage> CreateFileDeleteResponse(HttpRequest request
 
         /// <summary>
         /// Indicates whether this is a conditional range request containing an
-        /// If-Range header with a matching etag and a Range header indicating the
-        /// desired ranges
+        /// If-Range header with a matching etag and a Range header indicating the desired ranges.
         /// </summary>
         protected bool IsRangeRequest(HttpRequest request, Net.Http.Headers.EntityTagHeaderValue currentEtag)
         {
@@ -531,7 +530,7 @@ private static Stream GetFileDeleteStream(FileInfoBase file)
         }
 
         /// <summary>
-        /// Create unique etag based on the last modified UTC time
+        /// Create unique etag based on the last modified UTC time.
         /// </summary>
         private static Microsoft.Net.Http.Headers.EntityTagHeaderValue CreateEntityTag(FileSystemInfoBase sysInfo)
         {
@@ -641,10 +640,52 @@ private IEnumerable<VfsStatEntry> GetDirectoryResponse(HttpRequest request, File
         protected HttpResponseMessage CreateResponse(HttpStatusCode statusCode, object payload = null)
         {
             var response = new HttpResponseMessage(statusCode);
-            if (payload != null)
+            try
             {
-                var content = payload is string ? payload as string : JsonConvert.SerializeObject(payload);
-                response.Content = new StringContent(content, Encoding.UTF8, "application/json");
+                if (payload != null)
+                {
+                    // Use safe serialization settings
+                    var jsonSerializerSettings = new JsonSerializerSettings
+                    {
+                        NullValueHandling = NullValueHandling.Ignore,
+                        DefaultValueHandling = DefaultValueHandling.Include,
+                        Formatting = Formatting.None
+                    };
+
+                    // Check if the payload is a string or an exception
+                    payload = payload switch
+                    {
+                        string str => str,
+                        Exception ex => ex.Message,
+                        _ => payload
+                    };
+
+                    // Sanitize the payload if it's an object
+                    var content = payload switch
+                    {
+                        string str => str,
+                        _ => JsonConvert.SerializeObject(payload, jsonSerializerSettings)
+                    };
+                    response.Content = new StringContent(content, Encoding.UTF8, "application/json");
+                }
+            }
+            catch (JsonSerializationException je)
+            {
+                // Return a generic error message to avoid exposing sensitive details
+                _logger.LogError(je, je.Message);
+                response = new HttpResponseMessage(HttpStatusCode.InternalServerError)
+                {
+                    Content = new StringContent("An error occurred while processing the response payload.", Encoding.UTF8, "text/plain")
+                };
+            }
+            catch (Exception ex)
+            {
+                // Return a generic error message to avoid exposing sensitive details
+                _logger.LogError(ex, ex.Message);
+                response = new HttpResponseMessage(HttpStatusCode.InternalServerError)
+                {
+                    Content = new StringContent("An unexpected error occurred.", Encoding.UTF8, "text/plain")
+                };
             }
             return response;
         }
