default to a generic error message for unhandled exceptions to avoid unintentionally leaking sensitive data.

fixes #99

Author: ghazi-git

docs/changelog.md

@@ -10,6 +10,31 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - add support for django 5.2
 - add support for DRF 3.16
 
+### Changed (backward-incompatible)
+- Unhandled exceptions now return a generic error message by default. This avoids unintentionally leaking
+sensitive data included in the exception message. To revert to the old behavior or change the default error
+message:
+  - create a custom exception handler class
+    ```python
+    from rest_framework.exceptions import APIException
+    from drf_standardized_errors.handler import ExceptionHandler
+    
+    class MyExceptionHandler(ExceptionHandler):
+        def convert_unhandled_exceptions(self, exc: Exception) -> APIException:
+            if not isinstance(exc, APIException):
+                # `return APIException(detail=str(exc))` restores the old behavior 
+                return APIException(detail="New error message")
+            else:
+                return exc
+    ```
+  - Then, update the settings to point to your exception handler class
+    ```python
+    DRF_STANDARDIZED_ERRORS = {
+        # ...
+        "EXCEPTION_HANDLER_CLASS": "path.to.MyExceptionHandler"
+    }
+    ```
+
 ## [0.14.1] - 2024-08-10
 ### Added
 - declare support for django 5.1

docs/faq.md

@@ -43,3 +43,26 @@ You can check this [issue](https://github.com/ghazi-git/drf-standardized-errors/
 for a possible solution. Still, `djangorestframework-camel-case` is built to work specifically with
 the default exception handler from DRF. It assumes that field names are the keys in the returned dict.
 So, that does not work well with this package.
+
+
+## How can I change the default error message for unhandled exceptions
+
+You need to create a custom exception handler class
+```python
+from rest_framework.exceptions import APIException
+from drf_standardized_errors.handler import ExceptionHandler
+
+class MyExceptionHandler(ExceptionHandler):
+    def convert_unhandled_exceptions(self, exc: Exception) -> APIException:
+        if not isinstance(exc, APIException):
+            return APIException(detail="New error message")
+        else:
+            return exc
+```
+Then, update the settings to point to your exception handler class
+```python
+DRF_STANDARDIZED_ERRORS = {
+    # ...
+    "EXCEPTION_HANDLER_CLASS": "path.to.MyExceptionHandler"
+}
+```

drf_standardized_errors/handler.py

@@ -75,7 +75,10 @@ def convert_unhandled_exceptions(self, exc: Exception) -> exceptions.APIExceptio
         has a 500 status code.
         """
         if not isinstance(exc, exceptions.APIException):
-            return exceptions.APIException(detail=str(exc))
+            # return a generic error message to avoid potentially leaking sensitive
+            # data and match DRF/django behavior (same generic error message returned
+            # by django.views.defaults.server_error)
+            return exceptions.APIException(detail="Server Error (500)")
         else:
             return exc
 

tests/test_settings.py

@@ -41,7 +41,7 @@ def test_custom_exception_formatter_class(settings, api_client):
     assert response.status_code == 500
     assert response.data["type"] == "server_error"
     assert response.data["code"] == "error"
-    assert response.data["message"] == "Internal server error."
+    assert response.data["message"] == "Server Error (500)"
     assert response.data["field_name"] is None
 
 
@@ -82,7 +82,7 @@ def test_enable_in_debug_for_unhandled_exception_is_true(
     assert len(response.data["errors"]) == 1
     error = response.data["errors"][0]
     assert error["code"] == "error"
-    assert error["detail"] == "Internal server error."
+    assert error["detail"] == "Server Error (500)"
     assert error["attr"] is None