Handle Errors Without Leaking Information

Errors from your connector reach Flow Builder users and downstream consumers. Sanitize error output so it doesn't expose implementation details or raw upstream responses.

Don't Propagate Raw Upstream Error Bodies

The connector framework can return the upstream API's raw error body to Flow Builder. The body can contain stack traces, internal hostnames, and account IDs. The same path can become a data-smuggling channel: a crafted upstream error body passes through to Flow variables, where downstream consumers can capture it.

Do: Return a generic error message and a correlation ID for log lookup.

Don't: Pass response.error.value.body or response.error.value.body.^raw to the error output.

Example

Vulnerable

1if (response.success is false and response.error.value.body?)
2  (error:
3    if (isEmpty(response.error.value.body.^raw))
4      write(response.error.value.body, "application/dw") as String
5    else
6      response.error.value.body.^raw as String)

Secure

Apply the principle: return only a generic message and a correlation ID for log lookup.

1if (response.success is false and (response.error.value.body? default false))
2{
3error: "upstream-failed",
4correlationId: (vars.correlationId default attributes.headers."x-correlation-id") default ""
5}
6else
7response.payload

Strip Implementation Details from Error Messages

DataWeave's default error messages expose internal type names, field names, and stack details. Users see these details when a connector operation fails in Flow.

Do: Return a stable, generic error code or message.

Don't: Pass result.error or coercion errors directly into the response.

Example

Vulnerable

1var result = try(() -> payload.amount as Number)
2---
3if (result.success) result.result else { error: result.error }

Secure

1var result = try(() -> payload.amount as Number)
2---
3if (result.success) result.result else { error: "invalid-amount" }

ISVforce Guide

Handle Errors Without Leaking Information

Don't Propagate Raw Upstream Error Bodies

Example

Strip Implementation Details from Error Messages

Example