fix(webapp): sanitise 500 leaks on deployment finalize routes

d-cs · d-cs · commit 6c1fda8a9d4b · 2026-05-08T11:48:44.000+01:00
Devin's PR review flagged three deployment finalize routes (api.v1/v2/v3.deployments.$deploymentId.finalize.ts) that still surfaced raw `error.message` via the template-string variant (`Internal server error: ${error.message}`) on the catch-all 500 branch. Replace with a generic body and route the full error through logger.error for server-side visibility, matching the pattern used in the rest of this PR.

Also fixes the same template-string leak inside the v3 SSE stream's .catch handler, where the raw message would have been written into the SSE event:error data payload.
diff --git a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.finalize.ts b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.finalize.ts
@@ -54,12 +54,9 @@ export async function action({ request, params }: ActionFunctionArgs) {
   } catch (error) {
     if (error instanceof ServiceValidationError) {
       return json({ error: error.message }, { status: 400 });
-    } else if (error instanceof Error) {
-      logger.error("Error finalizing deployment", { error: error.message });
-      return json({ error: `Internal server error: ${error.message}` }, { status: 500 });
-    } else {
-      logger.error("Error finalizing deployment", { error: String(error) });
-      return json({ error: "Internal server error" }, { status: 500 });
     }
+
+    logger.error("Error finalizing deployment", { error });
+    return json({ error: "Internal server error" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v2.deployments.$deploymentId.finalize.ts b/apps/webapp/app/routes/api.v2.deployments.$deploymentId.finalize.ts
@@ -54,12 +54,9 @@ export async function action({ request, params }: ActionFunctionArgs) {
   } catch (error) {
     if (error instanceof ServiceValidationError) {
       return json({ error: error.message }, { status: 400 });
-    } else if (error instanceof Error) {
-      logger.error("Error finalizing deployment", { error: error.message });
-      return json({ error: `Internal server error: ${error.message}` }, { status: 500 });
-    } else {
-      logger.error("Error finalizing deployment", { error: String(error) });
-      return json({ error: "Internal server error" }, { status: 500 });
     }
+
+    logger.error("Error finalizing deployment", { error });
+    return json({ error: "Internal server error" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v3.deployments.$deploymentId.finalize.ts b/apps/webapp/app/routes/api.v3.deployments.$deploymentId.finalize.ts
@@ -75,11 +75,8 @@ export async function action({ request, params }: ActionFunctionArgs) {
 
         if (error instanceof ServiceValidationError) {
           errorMessage = { error: error.message };
-        } else if (error instanceof Error) {
-          logger.error("Error finalizing deployment", { error: error.message });
-          errorMessage = { error: `Internal server error: ${error.message}` };
         } else {
-          logger.error("Error finalizing deployment", { error: String(error) });
+          logger.error("Error finalizing deployment", { error });
           errorMessage = { error: "Internal server error" };
         }
 
@@ -93,12 +90,9 @@ export async function action({ request, params }: ActionFunctionArgs) {
   } catch (error) {
     if (error instanceof ServiceValidationError) {
       return json({ error: error.message }, { status: 400 });
-    } else if (error instanceof Error) {
-      logger.error("Error finalizing deployment", { error: error.message });
-      return json({ error: `Internal server error: ${error.message}` }, { status: 500 });
-    } else {
-      logger.error("Error finalizing deployment", { error: String(error) });
-      return json({ error: "Internal server error" }, { status: 500 });
     }
+
+    logger.error("Error finalizing deployment", { error });
+    return json({ error: "Internal server error" }, { status: 500 });
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -54,12 +54,9 @@ export async function action({ request, params }: ActionFunctionArgs) {`
`54`	`54`	`} catch (error) {`
`55`	`55`	`if (error instanceof ServiceValidationError) {`
`56`	`56`	`return json({ error: error.message }, { status: 400 });`
`57`		`- } else if (error instanceof Error) {`
`58`		`- logger.error("Error finalizing deployment", { error: error.message });`
`59`		- return json({ error: `Internal server error: ${error.message}` }, { status: 500 });
`60`		`- } else {`
`61`		`- logger.error("Error finalizing deployment", { error: String(error) });`
`62`		`- return json({ error: "Internal server error" }, { status: 500 });`
`63`	`57`	`}`
	`58`	`+`
	`59`	`+ logger.error("Error finalizing deployment", { error });`
	`60`	`+ return json({ error: "Internal server error" }, { status: 500 });`
`64`	`61`	`}`
`65`	`62`	`}`