security (api): fix Information exposure through an exception

app/api/index.py

@@ -1,7 +1,6 @@
 import logging
 import multiprocessing
 import os
-import traceback
 
 from classes.RFID_Reader import door_controller
 from flask import Flask, jsonify
@@ -82,4 +81,5 @@ def set_lockout():
 
         return jsonify({"locked_out": str(not locked_out_state)}), 200
     except Exception as e:
-        return jsonify({"error": str(e), "stack": traceback.format_exc()}), 400
+        logging.error("Error creating user: %s", str(e))
+        return jsonify({"error": "An internal error has occurred."}), 400

app/api/routes/accessLog.py

@@ -1,5 +1,6 @@
 from aws import S3, db
 from flask import Blueprint, abort, jsonify, request
+import logging
 
 bp_access_log = Blueprint("log", __name__, url_prefix="/log")
 
@@ -12,7 +13,8 @@ def read_logs():
             abort(404, description="No logs found.")
         return jsonify(response), 200
     except Exception as e:
-        return jsonify({"error": str(e)}), 400
+        logging.error("Error creating user: %s", str(e))
+        return jsonify({"error": "An internal error has occurred."}), 400
 
 
 @bp_access_log.route("/<int:user_id>", methods=["GET"])
@@ -23,7 +25,8 @@ def read_logs_by_employee(user_id):
             abort(404, description="No logs found.")
         return jsonify(response), 200
     except Exception as e:
-        return jsonify({"error": str(e)}), 400
+        logging.error("Error creating user: %s", str(e))
+        return jsonify({"error": "An internal error has occurred."}), 400
 
 
 @bp_access_log.route("/<int:user_id>", methods=["POST"])
@@ -35,7 +38,8 @@ def register_entry(user_id):
         db.register_entry(data["TagID"], user_id)
         return jsonify("Success"), 200
     except Exception as e:
-        return jsonify({"error": str(e)}), 400
+        logging.error("Error creating user: %s", str(e))
+        return jsonify({"error": "An internal error has occurred."}), 400
 
 
 @bp_access_log.route("/share", methods=["POST"])
@@ -49,4 +53,5 @@ def share_video():
         url = S3.generate_share_url(bucket_name, file_object)
         return jsonify({"url": url}), 200
     except Exception as e:
-        return jsonify({"error": str(e)}), 400
+        logging.error("Error creating user: %s", str(e))
+        return jsonify({"error": "An internal error has occurred."}), 400

app/api/routes/camera.py

@@ -1,5 +1,6 @@
 from aws import S3
 from flask import Blueprint, abort, jsonify
+import logging
 
 bp_cameras = Blueprint("camera", __name__, url_prefix="/camera")
 
@@ -10,7 +11,8 @@ def view_camera():
         return abort(404, description="Not implemented.")
         # return jsonify(response), 200
     except Exception as e:
-        return jsonify({"error": str(e)}), 400
+        logging.error("Error creating user: %s", str(e))
+        return jsonify({"error": "An internal error has occurred."}), 400
 
 
 @bp_cameras.route("/history/unidentified", methods=["GET"])
@@ -21,7 +23,8 @@ def view_unidentified_footage():
             return abort(404, "No footage found.")
         return jsonify(response), 200
     except Exception as e:
-        return jsonify({"error": str(e)}), 400
+        logging.error("Error creating user: %s", str(e))
+        return jsonify({"error": "An internal error has occurred."}), 400
 
 
 @bp_cameras.route("/history/<int:user_id>", methods=["GET"])
@@ -32,4 +35,5 @@ def view_employee_footage(user_id):
             return abort(404, "No footage found.")
         return jsonify(response), 200
     except Exception as e:
-        return jsonify({"error": str(e)}), 400
+        logging.error("Error creating user: %s", str(e))
+        return jsonify({"error": "An internal error has occurred."}), 400

app/api/routes/card.py

@@ -1,5 +1,6 @@
 from aws import db
 from flask import Blueprint, abort, jsonify
+import logging
 
 bp_cards = Blueprint("card", __name__, url_prefix="/card")
 
@@ -12,4 +13,5 @@ def read_card(card_id):
             abort(404, description="This keycard is not linked to an Employee.")
         return jsonify(user), 200
     except Exception as e:
-        return jsonify({"error": str(e)}), 400
+        logging.error("Error creating user: %s", str(e))
+        return jsonify({"error": "An internal error has occurred."}), 400