Skip to content

fix(security): avoid disclosing raw error details in bedrock RewriteGenerator [ACT-3522]#11055

Closed
Tyler (tylerwashington888) wants to merge 2 commits into
masterfrom
security/wiz-ACT-3522
Closed

fix(security): avoid disclosing raw error details in bedrock RewriteGenerator [ACT-3522]#11055
Tyler (tylerwashington888) wants to merge 2 commits into
masterfrom
security/wiz-ACT-3522

Conversation

@tylerwashington888

Copy link
Copy Markdown
Contributor

Purpose

Remediate Wiz SAST critical finding WS-I002-JAVASCRIPT-00027 (CWE-209 — Disclosure of Error Details and Stack Traces) in the bedrock RewriteGenerator component. The raw error object was being passed directly to console.error(), which can expose internal stack traces and error internals in production logs.

Approach

Single-line change to line 58 of apps/bedrock-content-generator/src/components/app/dialog/rewrite-generator/RewriteGenerator.tsx.

Wiz remediation guidance (quoted):

Replace console.error(error) with a sanitized message to prevent raw error objects (which may contain stack traces, internal paths, or sensitive runtime details) from appearing in logs.

Before (lines 57–59):

} catch (error) {
  console.error(error);
}

After:

} catch (error) {
  console.error('An error occurred. Please try again.');
}

No other lines or files were touched. The catch block still handles the error path; it simply no longer forwards the raw error object to the console.

Testing steps

  1. Open the bedrock content generator app dialog.
  2. Trigger a rewrite operation that fails (e.g. with a bad AWS config or network error).
  3. Confirm the console logs An error occurred. Please try again. rather than a raw error object or stack trace.

Breaking Changes

None. This is a purely logging-level change — the error is still caught and handled; only the console output is sanitized.

Dependencies and/or References

Deployment

No deployment concerns. This is a client-side logging change only.

Note: This PR was created with the contentful-github-create-pull-request skill, powered by Agents Kit. To follow or use this workflow, see the Agents Kit CLI skill docs.


Codex agent acting on behalf of Tyler Washington — automated Wiz SAST remediation.

Replace console.error(error) with a sanitized message to prevent stack
traces and raw error internals from leaking through the console in the
bedrock RewriteGenerator component. Addresses Wiz SAST finding
WS-I002-JAVASCRIPT-00027 (CWE-209, critical severity).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tylerwashington888

Copy link
Copy Markdown
Contributor Author

Superseded by consolidated PR #11057.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant