fix(security): remediate WS-I002 error disclosure [ACT-3524]#11050
Closed
Tyler (tylerwashington888) wants to merge 1 commit into
Closed
fix(security): remediate WS-I002 error disclosure [ACT-3524]#11050Tyler (tylerwashington888) wants to merge 1 commit into
Tyler (tylerwashington888) wants to merge 1 commit into
Conversation
…[ACT-3524] Replace bare console.error(error) with a sanitized message to prevent raw error objects and stack traces from being logged in production, addressing Wiz SAST finding WS-I002-JAVASCRIPT-00027. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Author
|
Closing — fix was applied without Wiz MCP analysis as intended. Will be re-opened correctly. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Remediates Wiz SAST finding WS-I002-JAVASCRIPT-00027 (Disclosure of Error Details and Stack Traces) in the Bedrock Content Generator app.
Passing raw error objects to
console.errorcan expose internal stack traces, error messages, and implementation details in production logs, which may leak sensitive information.Approach
Single-line change in
CommonGenerator.tsxat line 75.Before:
After:
The raw error object is replaced with a controlled string. The
error.messageis included (not a stack trace) for debuggability, guarded by aninstanceof Errorcheck to avoid leaking non-Error throw values.Validity assessment: VALID — line 75 is a textbook match for WS-I002 (
console.error(error)with raw error object in a catch block, in a non-test file). Confidence: HIGH.Note: Wiz API was unavailable (
WIZ_API_TOKENnot set); the fix was inferred from the rule ID and direct code inspection. The pattern is unambiguous.Testing steps
Generation failed: <message>instead of the raw Error object.npx nx test bedrock-content-generatorBreaking Changes
None. This is a one-line logger message change with no behavior impact on the happy path.
Dependencies and/or References
Deployment
No deployment concerns. Logger-only change, no schema or API impact.