Area: internal/api/admin/excluded_models.go, internal/api/admin/excluded_providers.go
Problem
PUT /admin/v1/excluded-models and PUT /admin/v1/excluded-providers return err.Error() directly in the 400 response body when an unknown model or provider name is submitted, leaking the internal Go package name prefix to the client:
{"error":"auth: unknown model id: \"some-model-name\""}
{"error":"auth: unknown provider: \"some-provider-name\""}
The auth: prefix is the internal Go package name, coming from:
var ErrUnknownModel = errors.New("auth: unknown model id")
Every other 400 response in the admin API uses a static string. These two handlers are the only ones that pass err.Error() through to the client on a validation failure.
Steps to reproduce
curl -s -X PUT http://localhost:8080/admin/v1/excluded-models \
-H "Content-Type: application/json" \
-b <admin_cookie> \
-d '{"excluded":["not-a-real-model"]}'
# Returns: {"error":"auth: unknown model id: \"not-a-real-model\""}
Expected behavior
{"error":"unknown model id in exclusion list"}
{"error":"unknown provider in exclusion list"}
Fix
Replace err.Error() with static strings consistent with the rest of the admin API. Fix available in PR #528 .
Area:
internal/api/admin/excluded_models.go,internal/api/admin/excluded_providers.goProblem
PUT /admin/v1/excluded-modelsandPUT /admin/v1/excluded-providersreturnerr.Error()directly in the 400 response body when an unknown model or provider name is submitted, leaking the internal Go package name prefix to the client:{"error":"auth: unknown model id: \"some-model-name\""} {"error":"auth: unknown provider: \"some-provider-name\""}The
auth:prefix is the internal Go package name, coming from:Every other 400 response in the admin API uses a static string. These two handlers are the only ones that pass
err.Error()through to the client on a validation failure.Steps to reproduce
Expected behavior
{"error":"unknown model id in exclusion list"} {"error":"unknown provider in exclusion list"}Fix
Replace
err.Error()with static strings consistent with the rest of the admin API. Fix available in PR #528 .