Skip to content

fix(security): remediate WS-I002 error disclosure [ACT-3524]#11050

Closed
Tyler (tylerwashington888) wants to merge 1 commit into
masterfrom
security/wiz-ACT-3524
Closed

fix(security): remediate WS-I002 error disclosure [ACT-3524]#11050
Tyler (tylerwashington888) wants to merge 1 commit into
masterfrom
security/wiz-ACT-3524

Conversation

@tylerwashington888

Copy link
Copy Markdown
Contributor

Purpose

Remediates Wiz SAST finding WS-I002-JAVASCRIPT-00027 (Disclosure of Error Details and Stack Traces) in the Bedrock Content Generator app.

Passing raw error objects to console.error can expose internal stack traces, error messages, and implementation details in production logs, which may leak sensitive information.

Approach

Single-line change in CommonGenerator.tsx at line 75.

Before:

} catch (error) {
  console.error(error);
}

After:

} catch (error) {
  console.error('Generation failed:', error instanceof Error ? error.message : 'Unknown error');
}

The raw error object is replaced with a controlled string. The error.message is included (not a stack trace) for debuggability, guarded by an instanceof Error check to avoid leaking non-Error throw values.

Validity assessment: VALID — line 75 is a textbook match for WS-I002 (console.error(error) with raw error object in a catch block, in a non-test file). Confidence: HIGH.

Note: Wiz API was unavailable (WIZ_API_TOKEN not set); the fix was inferred from the rule ID and direct code inspection. The pattern is unambiguous.

Testing steps

  1. Open the Bedrock Content Generator app in a Contentful space.
  2. Trigger a generation failure (e.g., disconnect network or use an invalid locale).
  3. Verify the console shows Generation failed: <message> instead of the raw Error object.
  4. Run unit tests: npx nx test bedrock-content-generator

Breaking Changes

None. This is a one-line logger message change with no behavior impact on the happy path.

Dependencies and/or References

Deployment

No deployment concerns. Logger-only change, no schema or API impact.

Note: This PR was created with the contentful-github-create-pull-request skill, powered by Agents Kit. To follow or use this workflow, see the Agents Kit CLI skill docs.

…[ACT-3524]

Replace bare console.error(error) with a sanitized message to prevent
raw error objects and stack traces from being logged in production,
addressing Wiz SAST finding WS-I002-JAVASCRIPT-00027.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tylerwashington888

Copy link
Copy Markdown
Contributor Author

Closing — fix was applied without Wiz MCP analysis as intended. Will be re-opened correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant