Skip to content

fix(security): sanitize error disclosure in graphql-playground ConfigScreen [ACT-3525]#11047

Open
Tyler (tylerwashington888) wants to merge 1 commit into
masterfrom
security/wiz-ACT-3525
Open

fix(security): sanitize error disclosure in graphql-playground ConfigScreen [ACT-3525]#11047
Tyler (tylerwashington888) wants to merge 1 commit into
masterfrom
security/wiz-ACT-3525

Conversation

@tylerwashington888

@tylerwashington888 Tyler (tylerwashington888) commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Purpose

Remediates Wiz SAST finding ACT-3525 — rule WS-I002-JAVASCRIPT-00027 (Disclosure of Error Details and Stack Traces).

Wiz issue: https://app.wiz.io/p/production/issues#%7E%28issue%7E%27d56cc137-4b03-426c-a378-7d3d4ecd280c%29

Approach

The onConfigure catch block in ConfigScreen.tsx was passing the raw error object directly to console.error, which can expose internal stack traces and error details.

Before:

} catch (error) {
  console.error(error);
}

After:

} catch (error) {
  console.error('Failed to configure app:', error instanceof Error ? error.message : 'Unknown error');
}

Validity: confirmed — console.error(error) at line 164 passes the full error object. No false positive.

Note: Wiz API token unavailable in this run. Fix derived from rule WS-I002-JAVASCRIPT-00027 + direct code inspection at flagged lines 147–165.

Testing steps

No functional change — catch block behaviour is unchanged, only the log output is sanitized.

Breaking Changes

None.

Dependencies and/or References

  • ACT-3525
  • Wiz rule: WS-I002-JAVASCRIPT-00027 — Disclosure of Error Details and Stack Traces

Note: This PR was created with the wiz-remediation agent on behalf of Tyler Washington. 🤖

…Screen [ACT-3525]

Replaces raw console.error(error) with a sanitized message to prevent
stack trace and error detail disclosure flagged by WS-I002-JAVASCRIPT-00027.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant