From efa82dff866f9545329d841e4470e86edcdbd58f Mon Sep 17 00:00:00 2001
From: GeiserX <9169332+GeiserX@users.noreply.github.com>
Date: Wed, 15 Apr 2026 16:25:36 +0200
Subject: [PATCH] fix: suppress stack trace exposure in worker status page

CodeQL alert #2: raw exception message from heartbeat failures was
rendered in the worker HTML status page, potentially leaking internal
details (file paths, hostnames, etc.) to external users.

Replace str(exc) with a generic "connection failed" message for
display; full details remain in server logs.
---
 app/worker_api.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/worker_api.py b/app/worker_api.py
index e0dfcb3..de9394e 100644
--- a/app/worker_api.py
+++ b/app/worker_api.py
@@ -107,7 +107,7 @@ async def _send_heartbeat() -> None:
             logger.debug("Heartbeat sent to %s", UI_URL)
     except Exception as exc:
         _ui_connected = False
-        _last_error = str(exc)
+        _last_error = "connection failed"
         logger.warning("Heartbeat failed: %s", exc)