Potential fix for code scanning alert no. 59: Information exposure through an exception

[matheper]

Potential fix for https://github.com/microsoft/debug-gym/security/code-scanning/59

To fix the problem, the response sent to the user must not contain the raw exception message. Instead, the application should return a generic, non-sensitive error string and, if detailed diagnostics are needed, log the exception on the server. This prevents disclosure of filesystem paths or other environment details while preserving debuggability.

Concretely, in analysis/json_log_viewer/json_log_viewer.py around line 580, replace return jsonify({"error": f"Permission denied: {str(e)}"}), 403 with a response that uses a fixed, generic message such as "Permission denied". If the application wants to retain diagnostics, it can log e (for example, using Python’s logging module) before returning the generic message. To do that without altering existing behavior from the caller’s perspective, we can add an import for logging, configure a basic logger (or rely on defaults if already configured elsewhere), and log the exception inside the except block, while still returning a simple "Permission denied" error to the client.

Specifically:

• Add import logging near the top of json_log_viewer.py alongside the other imports.
• Optionally, add a minimal logging configuration if none exists (for example, logging.basicConfig(level=logging.INFO)), though this is not strictly required for correctness.
• In the browse_directory function’s outer except (OSError, PermissionError) as e: block, add a logging call like logging.exception("Error browsing directory") (which logs the stack trace) and change the returned error JSON to a static message that does not include e’s text.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.