Skip to content

fix(security): avoid disclosing raw error details in bedrock CommonGenerator [ACT-3524]#11056

Closed
Tyler (tylerwashington888) wants to merge 2 commits into
masterfrom
security/wiz-ACT-3524-v2
Closed

fix(security): avoid disclosing raw error details in bedrock CommonGenerator [ACT-3524]#11056
Tyler (tylerwashington888) wants to merge 2 commits into
masterfrom
security/wiz-ACT-3524-v2

Conversation

@tylerwashington888

Copy link
Copy Markdown
Contributor

Note: This PR was created by the Codex Wiz SAST Remediation Agent on behalf of Tyler Washington.

Purpose

Remediates Wiz SAST finding WS-I002-JAVASCRIPT-00027 (Disclosure of Error Details and Stack Traces, CWE-209, CRITICAL severity) in the Bedrock Content Generator app.

Passing a raw error object to console.error can expose internal stack traces, error messages, and implementation details in browser consoles and log aggregators, which constitutes information disclosure.

Approach

Single-line change at line 75 of apps/bedrock-content-generator/src/components/app/dialog/common-generator/CommonGenerator.tsx.

Before:

} catch (error) {
  console.error(error);
}

After:

} catch (error) {
  console.error('An error occurred. Please try again.');
}

The raw error object is replaced with a fully sanitized static string. No error details, message fragments, or stack trace components are logged.

Wiz remediation guidance (quoted):

Replace console.error(error) with a sanitized message:

} catch (error) {
  console.error('An error occurred. Please try again.');
}

Validity assessment: VALID — line 75 is a textbook match for WS-I002. console.error(error) passes the raw error object directly in a catch block in a non-test production file. Confidence score: 96/100 (HIGH).

Confidence breakdown:

  • Wiz remediation guidance specific and actionable: 28/30
  • Flagged code pattern unambiguous: 25/25
  • Fix is localised: 20/20
  • Rule is known with defined fix pattern: 15/15
  • File drift since Wiz scan: 8/10

Note: A prior PR (#11050) for this ticket was closed without merging on 2026-07-02. That PR used a partial fix that still passed error.message through an instanceof guard. This PR applies the fully sanitized string per Wiz guidance.

Testing steps

  1. Open the Bedrock Content Generator app in a Contentful space.
  2. Trigger a generation failure (e.g., disconnect network or use an invalid locale).
  3. Verify the console shows An error occurred. Please try again. instead of the raw Error object or any error message fragment.
  4. Run unit tests: npx nx test bedrock-content-generator

Breaking Changes

None. This is a one-line logger message change with no behavior impact on the happy path.

Dependencies and/or References

Deployment

No deployment concerns. Logger-only change, no schema or API impact.

Note: This PR was created with the contentful-github-create-pull-request skill, powered by Agents Kit. To follow or use this workflow, see the Agents Kit CLI skill docs.

Replace `console.error(error)` with a fully sanitized message in the
CommonGenerator catch block to prevent raw error objects and stack
traces from being surfaced in browser consoles. Addresses Wiz SAST
finding WS-I002-JAVASCRIPT-00027 (CWE-209, CRITICAL).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tylerwashington888

Copy link
Copy Markdown
Contributor Author

Superseded by consolidated PR #11057.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant