Forums Bug Reports Thread

Bridge target create/edit leaks raw encryption exception message to the admin UI

Patrick Bass · Jun 6 · 9 · 1 Locked

[Minor] [Normal Priority] [Bug Fixed] [Always Reproduces]

Patrick Bass 🚀 OP Jun 6, 2026 8:34pm

Area: Admin deep-dive (commerce/config) (audit p15b) · Surface: /admin/bridge/new and /admin/bridge/{id} · Dimension: Law 6 / error hygiene · Severity: minor

Surfacing a raw exception message from the encryption layer to the user is an internal-mechanics leak and unhelpful to a tenant admin. It should log server-side and show a generic message.

Evidence

AdminBridgeController.php:108 `$this->flash('error', 'Webhook URL encryption failed: ' . $e->getMessage());` and :206 (same in update path). $e is a \Throwable from BridgeCipher::encrypt(); its message can expose crypto/library internals to the tenant admin.

Suggested fix. Log $e->getMessage() via $this->logger and flash a generic 'Could not save the bridge target. Please try again or contact support.'

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.

Patrick Bass
@mobieus

Patrick Bass 🚀 Jun 7, 2026 5:49am

Resolved — fixed and deployed. Commit ea9f0311e960, shipped dev-first then to all tenants on 2026-06-06.

In create() and update(), the two BridgeCipher encrypt/fingerprint catch (\Throwable $e) blocks were leaking $e->getMessage() into the user flash. Both now log the error via $this->logger->error('bridge target encryption failed', ['error' => $e->getMessage()]) and flash the generic 'Could not save the bridge target. Please try again or contact support.' message.

Status: fixed. Thread closed and locked.

Patrick Bass
@mobieus

Bridge target create/edit leaks raw encryption exception message to the admin UI

Related Discussions