Skip to main content
All Docs
FeaturesMaking Tax DigitalUpdated March 26, 2026

Security Advisory: SCR-12 — Fixing Error Message Data Leakage in TrueLayer and Resend Clients

Security Advisory: SCR-12 — Fixing Error Message Data Leakage in TrueLayer and Resend Clients

Version: 1.0.464 Severity: Medium Category: Data Leak Prevention

Summary

Version 1.0.464 closes a data leakage path identified in supply chain security review SCR-12. Raw HTTP response bodies from the TrueLayer API and the Resend email service were being embedded verbatim into thrown exceptions and log output. These strings could contain OAuth error details, partial token information, or PII-adjacent data, and were flowing into both Sentry error reports and tRPC error responses returned to callers.

What Was the Problem?

TrueLayer Client

Four methods in src/lib/truelayer/client.ts construct error messages by interpolating the raw API response body directly:

TrueLayer ${operation} failed (${res.status}): ${text}

The affected methods were:

  • exchangeCode — OAuth authorisation code exchange
  • refreshAccessToken — OAuth token refresh
  • listAccounts — fetching connected bank accounts
  • listTransactions — fetching account transactions

TrueLayer error responses for OAuth operations in particular can include fields such as error, error_description, and related token metadata. Embedding these verbatim into exception messages meant the data was:

  1. Passed to captureError() and sent to Sentry.
  2. Potentially surfaced to tRPC API callers as a BAD_GATEWAY error message.

Resend Client

Similarly, the Resend integration logged the raw response body text on failure, creating an equivalent leakage path into application logs.

What Changed?

TruelayerApiException Class

A dedicated TruelayerApiException exception class has been introduced in src/lib/truelayer/client.ts. This mirrors the pattern already established in the HMRC client. Before an error message is stored in the exception, the response body is passed through the existing redactString() utility from src/lib/sentry.ts.

redactString() strips token-looking strings from text — such as bearer tokens, access tokens, and refresh tokens — replacing them with redacted placeholders. Only the sanitised string is stored in the exception message and forwarded to error handlers or callers.

Resend Logging

Resend failure log output is updated to apply equivalent sanitisation before the response text is emitted.

Impact on Users and Integrations

  • No functional change. Bank feed connections, transaction imports, and email delivery behaviour are unaffected.
  • Sentry error reports for TrueLayer and Resend failures will now show redacted error bodies rather than raw API responses.
  • tRPC BAD_GATEWAY errors surfaced to API callers will no longer include raw upstream response text.
  • Audit trails for failed operations remain intact; only the sensitive content within error messages is redacted.

Relationship to Existing Patterns

This fix brings TrueLayer and Resend error handling into alignment with the HMRC client, which already used a dedicated exception class and redactString() sanitisation. The same approach is now applied consistently across all third-party API integrations in the platform.

Recommendations for Self-Hosted Deployments

If you operate a self-hosted instance, upgrade to v1.0.464 immediately. Prior versions should be considered to have a medium-severity data exposure risk in error monitoring and API error responses for any scenario where TrueLayer OAuth flows or bank feed operations fail.

After upgrading, review your Sentry project's stored issues for any historical TrueLayer or Resend error events that may contain raw response bodies, and purge them according to your data handling policy.