From 02a9f5b4b8430bf1c45601fcab567584dd666a1a Mon Sep 17 00:00:00 2001 From: ldsgroups225 <173761647+ldsgroups225@users.noreply.github.com> Date: Sun, 29 Mar 2026 23:13:48 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM]=20?= =?UTF-8?q?Fix=20stack=20trace=20exposure=20in=20error=20boundary?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/core/src/components/default-catch-boundary.tsx | 2 +- apps/school/src/components/default-catch-boundary.tsx | 2 +- pr_desc.txt | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 pr_desc.txt diff --git a/apps/core/src/components/default-catch-boundary.tsx b/apps/core/src/components/default-catch-boundary.tsx index 02bc745f..cc58cc28 100644 --- a/apps/core/src/components/default-catch-boundary.tsx +++ b/apps/core/src/components/default-catch-boundary.tsx @@ -28,7 +28,7 @@ export function DefaultCatchBoundary({ error }: ErrorComponentProps) { // Format error details for display const errorMessage = error?.message || 'An unexpected error occurred' - const errorStack = error?.stack || '' + const errorStack = import.meta.env.DEV ? (error?.stack || '') : '' const hasStack = errorStack.length > 0 const handleReportError = () => { diff --git a/apps/school/src/components/default-catch-boundary.tsx b/apps/school/src/components/default-catch-boundary.tsx index e08b8159..690bbd06 100644 --- a/apps/school/src/components/default-catch-boundary.tsx +++ b/apps/school/src/components/default-catch-boundary.tsx @@ -38,7 +38,7 @@ export function DefaultCatchBoundary({ error, reset }: ErrorComponentProps) { const [copied, setCopied] = useState(false) const errorMessage = error?.message || t.common.unexpectedError() - const errorStack = error?.stack || '' + const errorStack = import.meta.env.DEV ? (error?.stack || '') : '' const hasStack = errorStack.length > 0 const handleCopyError = async () => { diff --git a/pr_desc.txt b/pr_desc.txt new file mode 100644 index 00000000..3af2d6f6 --- /dev/null +++ b/pr_desc.txt @@ -0,0 +1,5 @@ +🚨 Severity: MEDIUM +💡 Vulnerability: The application was exposing full error stack traces in `DefaultCatchBoundary` to the user interface in production. +🎯 Impact: This could potentially leak internal application paths, code structure, or dependencies to end-users or attackers during an unexpected error. +🔧 Fix: Used `import.meta.env.DEV` to check if we are in development mode and only populated the `errorStack` constant when `DEV` is true. +✅ Verification: Verify that the error boundary still catches errors correctly and the UI correctly doesn't render stack trace sections when `NODE_ENV` / `import.meta.env.DEV` resolves to false.