fix(#289): Prevent private key decryption error data leaks

Modified decrypt() error handling to only log error type without stack traces, error details, or encrypted content. Added test to verify sensitive data is not exposed in logs. Security improvement: Prevents leakage of encrypted data or partial decryption results through error logs. Fixes #289 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 21:35:15 -06:00
parent ecb33a17fe
commit 77d1d14e08
2 changed files with 31 additions and 2 deletions
--- a/apps/api/src/federation/crypto.service.ts
+++ b/apps/api/src/federation/crypto.service.ts
@@ -90,7 +90,10 @@ export class CryptoService {

      return decrypted;
    } catch (error) {
-      this.logger.error("Decryption failed", error);
+      // Security: Do not log error details which may contain sensitive data
+      // Only log error type/code without stack trace or encrypted content
+      const errorType = error instanceof Error ? error.constructor.name : "Unknown";
+      this.logger.error(`Decryption failed: ${errorType}`);
      throw new Error("Failed to decrypt data");
    }
  }