From 1043feeab3381b8c640cc4f240166168c67bbe2b Mon Sep 17 00:00:00 2001
From: Vyacheslav Matyukhin <me@berekuk.ru>
Date: Fri, 10 Jan 2025 14:51:42 -0300
Subject: [PATCH] don't expose build errors to frontend

---
 apps/hub/src/models/data/cards.ts     | 2 +-
 apps/hub/src/models/data/full.ts      | 1 +
 apps/hub/src/models/data/revisions.ts | 5 ++---
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/hub/src/models/data/cards.ts b/apps/hub/src/models/data/cards.ts
index ddcca98a8a..eb7aa655b7 100644
--- a/apps/hub/src/models/data/cards.ts
+++ b/apps/hub/src/models/data/cards.ts
@@ -69,8 +69,8 @@ const select = {
       },
       builds: {
         select: {
+          // be careful with selecting errors here - potential security risk, build script doesn't take `isPrivate` into account
           runSeconds: true,
-          errors: true,
         },
         orderBy: {
           createdAt: "desc",
diff --git a/apps/hub/src/models/data/full.ts b/apps/hub/src/models/data/full.ts
index 4c304304e5..a9c9b3cfa6 100644
--- a/apps/hub/src/models/data/full.ts
+++ b/apps/hub/src/models/data/full.ts
@@ -57,6 +57,7 @@ async function toDTO(row: Row): Promise<ModelFullDTO> {
       select: {
         builds: {
           select: {
+            // be careful with selecting errors here - potential security risk, build script doesn't take `isPrivate` into account
             runSeconds: true,
           },
         },
diff --git a/apps/hub/src/models/data/revisions.ts b/apps/hub/src/models/data/revisions.ts
index c52c0f2da3..a399bff6b0 100644
--- a/apps/hub/src/models/data/revisions.ts
+++ b/apps/hub/src/models/data/revisions.ts
@@ -20,7 +20,7 @@ export const selectModelRevision = {
   // used for `buildStatus` and `lastBuild`
   builds: {
     select: {
-      errors: true,
+      errors: true, // selected for `buildStatus`
       runSeconds: true,
     },
     orderBy: {
@@ -51,7 +51,7 @@ type DbModelRevisionBuild = DbModelRevision["builds"][number];
 
 type ModelRevisionBuildDTO = {
   runSeconds: number;
-  errors: string[];
+  // no errors here - potential security risk, build script doesn't take `isPrivate` into account
 };
 
 export type ModelRevisionDTO = {
@@ -67,7 +67,6 @@ export type ModelRevisionDTO = {
 function buildToDTO(build: DbModelRevisionBuild): ModelRevisionBuildDTO {
   return {
     runSeconds: build.runSeconds,
-    errors: build.errors,
   };
 }