Pensar - auto fix for Sensitive Configuration Data Exposure via Unfiltered JSON Rendering

[pensarapp]

Fixed a security vulnerability (CWE-200: Exposure of Sensitive Information) where sensitive configuration data was being directly exposed to the client through JSON.stringify(siteConfig).

The fix implements:

1. A new sanitizeSiteConfig function that creates a deep copy of the configuration and recursively searches for potentially sensitive fields using comprehensive regex patterns
2. When sensitive fields are detected (passwords, API keys, tokens, etc.), their values are replaced with "[REDACTED]"
3. The display was improved by:
   • Replacing the raw JSON.stringify with a formatted, pretty-printed version
   • Adding a container with styling for better readability
   • Including a note that sensitive values have been redacted
   • Using conditional rendering to only display the config when it exists

This approach maintains the functionality of showing configuration data to administrators while preventing the exposure of sensitive information that could be used in security attacks.

More Details

Type	Identifier	Message	Severity	Link
Application	CWE-200	The code directly stringifies and renders the site configuration using JSON.stringify without any explicit filtering or sanitization. If the siteConfig object includes sensitive information (for example, database credentials, API keys, or other configuration data that should remain private), this could lead to exposure of sensitive data to unauthorized parties. The risk is moderate because it depends on the content of siteConfig and the context in which it is rendered.	medium	Link

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
simpl-cms-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 1, 2025 7:31am