CodeRisk
Start review
Back to all case studies

Case Study

Sanitized on Paper, Leaking in Errors

The system passed visible secret checks, but error-handling paths still returned raw upstream responses, creating a hidden data exposure risk.

SecurityError HandlingBoundary Failures

What looked correct

From a typical review, everything appeared secure. Client bundles contained no secrets. There were no obvious API routes returning environment variables. Some server paths already used redaction and sanitization utilities. In demos and smoke tests, failures returned structured error responses, and nothing visibly sensitive appeared in the UI.

Context

This issue lived in server-side API routes and admin proxy endpoints that sit between external providers, internal tooling, and end users. These layers are responsible for translating upstream responses into safe, controlled outputs.

What actually happened

On failure paths, multiple routes returned raw upstream response bodies, or truncated versions of them, directly to callers. In one case, command output bypassed sanitization entirely. These responses could include provider diagnostics, internal context, or other unintended details. The system behaved correctly in success paths, but diverged in error handling.

Why it was missed

Standard validation focused on the most visible risks: client-side leaks and direct environment exposure. Those checks passed. The presence of partial sanitization created a false sense of coverage. Error paths were not exercised deeply, and when they were, the responses looked structured enough to appear safe. The gap existed specifically in failure handling, which is less frequently tested and often treated as secondary.

Why it matters

This creates a subtle but real exposure risk. Sensitive or internal details can leak through error responses even when the system appears secure elsewhere. It also introduces false confidence. Teams believe guardrails are in place because the obvious checks pass, while the actual leak path sits in edge-case execution. The impact can include unintended data exposure, increased attack surface, and inconsistent behavior under failure conditions.

Outcome

Error handling was treated as a strict boundary. Upstream responses are now normalized into controlled formats, detailed diagnostics are confined to sanitized server logs, and all proxy and admin paths apply consistent redaction rules, including failure scenarios.

Need similar validation?

Start with a focused 30-minute review

If you suspect silent failures, state drift, or fragile workflow handoffs in your own system, start with the same grounded review process these case studies come from.

Start the review