fix(http)!: sanitize non-2xx error output (#2654)

Deeven-Seru · gemini-code-assist[bot] · Yuan325 · web-flow · commit 5bef954507c8 · 2026-03-25T23:46:59.000Z
## Summary - sanitize non-2xx response errors by default (no upstream body) - add returnFullError opt-in for raw body in error - log truncated body at debug level when sanitized - add regression tests + docs ## Breaking change - non-2xx errors now return sanitized messages unless returnFullError is enabled ## Testing - go test ./internal/sources/http Fixes #2617 --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>
diff --git a/docs/en/resources/sources/http.md b/docs/en/resources/sources/http.md
@@ -32,6 +32,7 @@ headers:
 queryParams:
   param1: value1
   param2: value2
+# returnFullError: false
 # disableSslVerification: false
 ```
 
@@ -49,6 +50,7 @@ instead of hardcoding your secrets into the configuration file.
 | timeout                |      string       |    false     | The timeout for HTTP requests (e.g., "5s", "1m", refer to [ParseDuration][parse-duration-doc] for more examples). Defaults to 30s. |
 | headers                | map[string]string |    false     | Default headers to include in the HTTP requests.                                                                                   |
 | queryParams            | map[string]string |    false     | Default query parameters to include in the HTTP requests.                                                                          |
+| returnFullError        |       bool        |    false     | Include raw upstream response bodies in error messages for non-2xx responses. Defaults to `false`.                                 |
 | disableSslVerification |       bool        |    false     | Disable SSL certificate verification. This should only be used for local development. Defaults to `false`.                         |
 
 [parse-duration-doc]: https://pkg.go.dev/time#ParseDuration
diff --git a/internal/sources/http/http.go b/internal/sources/http/http.go
@@ -30,6 +30,7 @@ import (
 )
 
 const SourceType string = "http"
+const maxErrorBodyLogBytes = 1024
 
 // validate interface
 var _ sources.SourceConfig = Config{}
@@ -55,6 +56,7 @@ type Config struct {
 	Timeout                string            `yaml:"timeout"`
 	DefaultHeaders         map[string]string `yaml:"headers"`
 	QueryParams            map[string]string `yaml:"queryParams"`
+	ReturnFullError        bool              `yaml:"returnFullError"`
 	DisableSslVerification bool              `yaml:"disableSslVerification"`
 }
 
@@ -146,7 +148,7 @@ func (s *Source) Client() *http.Client {
 	return s.client
 }
 
-func (s *Source) RunRequest(req *http.Request) (any, error) {
+func (s *Source) RunRequest(ctx context.Context, req *http.Request) (any, error) {
 	// Make request and fetch response
 	resp, err := s.Client().Do(req)
 	if err != nil {
@@ -160,7 +162,21 @@ func (s *Source) RunRequest(req *http.Request) (any, error) {
 		return nil, err
 	}
 	if resp.StatusCode < 200 || resp.StatusCode > 299 {
-		return nil, fmt.Errorf("unexpected status code: %d, response body: %s", resp.StatusCode, string(body))
+		if s.ReturnFullError {
+			return nil, fmt.Errorf("unexpected status code: %d, response body: %s", resp.StatusCode, string(body))
+		}
+
+		logger, err := util.LoggerFromContext(ctx)
+		if err != nil {
+			return nil, fmt.Errorf("unable to get logger from ctx: %s", err)
+		}
+		logger.DebugContext(ctx, "http source upstream error", "status", resp.StatusCode, "body", truncateForLog(body, maxErrorBodyLogBytes))
+
+		statusText := http.StatusText(resp.StatusCode)
+		if statusText != "" {
+			return nil, fmt.Errorf("unexpected status code: %d (%s)", resp.StatusCode, statusText)
+		}
+		return nil, fmt.Errorf("unexpected status code: %d", resp.StatusCode)
 	}
 
 	var data any
@@ -170,3 +186,13 @@ func (s *Source) RunRequest(req *http.Request) (any, error) {
 	}
 	return data, nil
 }
+
+func truncateForLog(body []byte, limit int) string {
+	if limit <= 0 || len(body) == 0 {
+		return ""
+	}
+	if len(body) <= limit {
+		return string(body)
+	}
+	return fmt.Sprintf("%s...(%d bytes truncated)", string(body[:limit]), len(body)-limit)
+}
diff --git a/internal/sources/http/http_test.go b/internal/sources/http/http_test.go
@@ -15,14 +15,20 @@
 package http_test
 
 import (
+	"bytes"
 	"context"
+	nethttp "net/http"
+	"net/http/httptest"
+	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/googleapis/genai-toolbox/internal/log"
 	"github.com/googleapis/genai-toolbox/internal/server"
 	"github.com/googleapis/genai-toolbox/internal/sources"
 	"github.com/googleapis/genai-toolbox/internal/sources/http"
 	"github.com/googleapis/genai-toolbox/internal/testutils"
+	"github.com/googleapis/genai-toolbox/internal/util"
 )
 
 func TestParseFromYamlHttp(t *testing.T) {
@@ -63,6 +69,7 @@ func TestParseFromYamlHttp(t *testing.T) {
 			queryParams:
 				api-key: test_api_key
 				param: param-value
+			returnFullError: true
 			disableSslVerification: true
 			`,
 			want: map[string]sources.SourceConfig{
@@ -73,6 +80,7 @@ func TestParseFromYamlHttp(t *testing.T) {
 					Timeout:                "10s",
 					DefaultHeaders:         map[string]string{"Authorization": "test_header", "Custom-Header": "custom"},
 					QueryParams:            map[string]string{"api-key": "test_api_key", "param": "param-value"},
+					ReturnFullError:        true,
 					DisableSslVerification: true,
 				},
 			},
@@ -136,3 +144,85 @@ func TestFailParseFromYaml(t *testing.T) {
 		})
 	}
 }
+
+func TestRunRequestSanitizesErrorBodyByDefault(t *testing.T) {
+	server := httptest.NewServer(nethttp.HandlerFunc(func(w nethttp.ResponseWriter, r *nethttp.Request) {
+		w.WriteHeader(nethttp.StatusBadRequest)
+		_, _ = w.Write([]byte("sensitive details"))
+	}))
+	defer server.Close()
+
+	logger, err := log.NewLogger("standard", log.Debug, &bytes.Buffer{}, &bytes.Buffer{})
+	if err != nil {
+		t.Fatalf("failed to create logger: %v", err)
+	}
+	ctx := util.WithLogger(context.Background(), logger)
+
+	sourceConfig := http.Config{
+		Name:    "test-http",
+		Type:    http.SourceType,
+		BaseURL: server.URL,
+		Timeout: "30s",
+	}
+	initialized, err := sourceConfig.Initialize(ctx, nil)
+	if err != nil {
+		t.Fatalf("failed to initialize source: %v", err)
+	}
+	source := initialized.(*http.Source)
+
+	req, err := nethttp.NewRequestWithContext(ctx, nethttp.MethodGet, server.URL, nil)
+	if err != nil {
+		t.Fatalf("failed to build request: %v", err)
+	}
+
+	_, err = source.RunRequest(ctx, req)
+	if err == nil {
+		t.Fatalf("expected error for non-2xx response")
+	}
+	if strings.Contains(err.Error(), "sensitive details") {
+		t.Fatalf("expected sanitized error message, got %q", err.Error())
+	}
+	if !strings.Contains(err.Error(), "unexpected status code: 400") {
+		t.Fatalf("expected status code in error message, got %q", err.Error())
+	}
+}
+
+func TestRunRequestIncludesErrorBodyWhenEnabled(t *testing.T) {
+	server := httptest.NewServer(nethttp.HandlerFunc(func(w nethttp.ResponseWriter, r *nethttp.Request) {
+		w.WriteHeader(nethttp.StatusInternalServerError)
+		_, _ = w.Write([]byte("sensitive details"))
+	}))
+	defer server.Close()
+
+	logger, err := log.NewLogger("standard", log.Debug, &bytes.Buffer{}, &bytes.Buffer{})
+	if err != nil {
+		t.Fatalf("failed to create logger: %v", err)
+	}
+	ctx := util.WithLogger(context.Background(), logger)
+
+	sourceConfig := http.Config{
+		Name:            "test-http",
+		Type:            http.SourceType,
+		BaseURL:         server.URL,
+		Timeout:         "30s",
+		ReturnFullError: true,
+	}
+	initialized, err := sourceConfig.Initialize(ctx, nil)
+	if err != nil {
+		t.Fatalf("failed to initialize source: %v", err)
+	}
+	source := initialized.(*http.Source)
+
+	req, err := nethttp.NewRequestWithContext(ctx, nethttp.MethodGet, server.URL, nil)
+	if err != nil {
+		t.Fatalf("failed to build request: %v", err)
+	}
+
+	_, err = source.RunRequest(ctx, req)
+	if err == nil {
+		t.Fatalf("expected error for non-2xx response")
+	}
+	if !strings.Contains(err.Error(), "response body: sensitive details") {
+		t.Fatalf("expected response body in error message, got %q", err.Error())
+	}
+}
diff --git a/internal/tools/http/http.go b/internal/tools/http/http.go
@@ -52,7 +52,7 @@ type compatibleSource interface {
 	HttpDefaultHeaders() map[string]string
 	HttpBaseURL() string
 	HttpQueryParams() map[string]string
-	RunRequest(*http.Request) (any, error)
+	RunRequest(context.Context, *http.Request) (any, error)
 }
 
 type Config struct {
@@ -275,7 +275,7 @@ func (t Tool) Invoke(ctx context.Context, resourceMgr tools.SourceProvider, para
 		req.Header.Set(k, v)
 	}
 
-	resp, err := source.RunRequest(req)
+	resp, err := source.RunRequest(ctx, req)
 	if err != nil {
 		return nil, util.ProcessGeneralError(err)
 	}
diff --git a/tests/http/http_integration_test.go b/tests/http/http_integration_test.go
@@ -431,7 +431,7 @@ func runAdvancedHTTPInvokeTest(t *testing.T) {
 			requestBody: func() io.Reader {
 				return bytes.NewBuffer([]byte(`{"animalArray": ["rabbit", "ostrich", "whale"], "id": 4, "path": "tool3", "country": "US", "X-Other-Header": "test"}`))
 			},
-			want:       "error processing request: unexpected status code: 400, response body: Bad Request: Incorrect query parameter: id, actual: [2 1 4]",
+			want:       "error processing request: unexpected status code: 400 (Bad Request)",
 			isAgentErr: true,
 		},
 	}
@@ -509,6 +509,11 @@ func getHTTPToolsConfig(sourceConfig map[string]any, toolType string) map[string
 	otherSourceConfig["headers"] = map[string]string{"X-Custom-Header": "unexpected", "Content-Type": "application/json"}
 	otherSourceConfig["queryParams"] = map[string]any{"id": 1, "name": "Sid"}
 
+	clientID := tests.ClientId
+	if clientID == "" {
+		clientID = "test-client-id"
+	}
+
 	toolsFile := map[string]any{
 		"sources": map[string]any{
 			"my-instance":    sourceConfig,
@@ -517,7 +522,7 @@ func getHTTPToolsConfig(sourceConfig map[string]any, toolType string) map[string
 		"authServices": map[string]any{
 			"my-google-auth": map[string]any{
 				"type":     "google",
-				"clientId": tests.ClientId,
+				"clientId": clientID,
 			},
 		},
 		"tools": map[string]any{

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ type compatibleSource interface {`
`52`	`52`	`HttpDefaultHeaders() map[string]string`
`53`	`53`	`HttpBaseURL() string`
`54`	`54`	`HttpQueryParams() map[string]string`
`55`		`- RunRequest(*http.Request) (any, error)`
	`55`	`+ RunRequest(context.Context, *http.Request) (any, error)`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`type Config struct {`
`@@ -275,7 +275,7 @@ func (t Tool) Invoke(ctx context.Context, resourceMgr tools.SourceProvider, para`
`275`	`275`	`req.Header.Set(k, v)`
`276`	`276`	`}`
`277`	`277`
`278`		`- resp, err := source.RunRequest(req)`
	`278`	`+ resp, err := source.RunRequest(ctx, req)`
`279`	`279`	`if err != nil {`
`280`	`280`	`return nil, util.ProcessGeneralError(err)`
`281`	`281`	`}`