fix(security): avoid disclosing raw error details in bedrock CommonGenerator [ACT-3524]#11056
Closed
Tyler (tylerwashington888) wants to merge 2 commits into
Closed
fix(security): avoid disclosing raw error details in bedrock CommonGenerator [ACT-3524]#11056Tyler (tylerwashington888) wants to merge 2 commits into
Tyler (tylerwashington888) wants to merge 2 commits into
Conversation
Replace `console.error(error)` with a fully sanitized message in the CommonGenerator catch block to prevent raw error objects and stack traces from being surfaced in browser consoles. Addresses Wiz SAST finding WS-I002-JAVASCRIPT-00027 (CWE-209, CRITICAL). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Author
|
Superseded by consolidated PR #11057. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Remediates Wiz SAST finding WS-I002-JAVASCRIPT-00027 (Disclosure of Error Details and Stack Traces, CWE-209, CRITICAL severity) in the Bedrock Content Generator app.
Passing a raw error object to
console.errorcan expose internal stack traces, error messages, and implementation details in browser consoles and log aggregators, which constitutes information disclosure.Approach
Single-line change at line 75 of
apps/bedrock-content-generator/src/components/app/dialog/common-generator/CommonGenerator.tsx.Before:
After:
The raw error object is replaced with a fully sanitized static string. No error details, message fragments, or stack trace components are logged.
Wiz remediation guidance (quoted):
Validity assessment: VALID — line 75 is a textbook match for WS-I002.
console.error(error)passes the raw error object directly in a catch block in a non-test production file. Confidence score: 96/100 (HIGH).Confidence breakdown:
Note: A prior PR (#11050) for this ticket was closed without merging on 2026-07-02. That PR used a partial fix that still passed
error.messagethrough aninstanceofguard. This PR applies the fully sanitized string per Wiz guidance.Testing steps
An error occurred. Please try again.instead of the raw Error object or any error message fragment.npx nx test bedrock-content-generatorBreaking Changes
None. This is a one-line logger message change with no behavior impact on the happy path.
Dependencies and/or References
Deployment
No deployment concerns. Logger-only change, no schema or API impact.