🛡️ : Security Enhancements (#1681)

* fix: sanitize HTTP params and do not send whole error objects backs

* fix: prevent path traversal

* fix: send custom error message for tokenizer route

* chore: handle info exposure vector

* chore(oauth): skip check due to false positive as oauth routes are rate-limited

* chore(app): disable `x-powered-by`

* chore: disable false positives or flagging of hardcoded secrets when they are fake values

* chore: add path traversal safety check

api/server/controllers/ErrorController.js

@@ -3,23 +3,24 @@ const { logger } = require('~/config');
 //handle duplicates
 const handleDuplicateKeyError = (err, res) => {
   logger.error('Duplicate key error:', err.keyValue);
-  const field = Object.keys(err.keyValue);
+  const field = `${JSON.stringify(Object.keys(err.keyValue))}`;
   const code = 409;
-  const error = `An document with that ${field} already exists.`;
-  res.status(code).send({ messages: error, fields: field });
+  res
+    .status(code)
+    .send({ messages: `An document with that ${field} already exists.`, fields: field });
 };
 
 //handle validation errors
 const handleValidationError = (err, res) => {
   logger.error('Validation error:', err.errors);
   let errors = Object.values(err.errors).map((el) => el.message);
-  let fields = Object.values(err.errors).map((el) => el.path);
+  let fields = `${JSON.stringify(Object.values(err.errors).map((el) => el.path))}`;
   let code = 400;
   if (errors.length > 1) {
-    const formattedErrors = errors.join(' ');
-    res.status(code).send({ messages: formattedErrors, fields: fields });
+    errors = errors.join(' ');
+    res.status(code).send({ messages: `${JSON.stringify(errors)}`, fields: fields });
   } else {
-    res.status(code).send({ messages: errors, fields: fields });
+    res.status(code).send({ messages: `${JSON.stringify(errors)}`, fields: fields });
   }
 };