Skip to content

fix(cloud-tests): improve error messages and user feedback #1703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 30, 2025
Merged

fix(cloud-tests): improve error messages and user feedback #1703

merged 3 commits into from
Oct 30, 2025

Conversation

@Alex-Alaniz
Copy link
Contributor

@Alex-Alaniz Alex-Alaniz commented Oct 30, 2025
edited
Loading

  • Extract clean messages from GCP/Azure error responses
  • Add info banner explaining propagation delays (12-24h) for empty results
  • Auto-dismiss error banners after 30 seconds

Fixes JSON blob display in GCP errors, adds context for empty scan results, and prevents error banner clutter.

What does this PR do?

  • Fixes #XXXX (GitHub issue number)
  • Fixes COMP-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

  • Show screen recordings of the issue or feature.
  • Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

  • Add side-by-side screenshots of the original and updated change.
  • Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

  • Are there environment variables that should be set?
  • What are the minimal test data to have?
  • What is expected (happy path) to have (input and output)?
  • Any other important info that could help to test that PR

Checklist

  • I haven't read the contributing guide
  • My code doesn't follow the style guidelines of this project
  • I haven't commented my code, particularly in hard-to-understand areas
  • I haven't checked if my changes generate no new warnings

@Alex-Alaniz
fix(cloud-tests): improve error messages and user feedback
43b79d0 
- Extract clean messages from GCP/Azure error responses
- Add info banner explaining propagation delays (12-24h) for empty results
- Auto-dismiss error banners after 30 seconds

Fixes JSON blob display in GCP errors, adds context for empty scan results, and prevents error banner clutter.
@vercel
Copy link

vercel bot commented Oct 30, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
app Ready Ready Preview Comment Oct 30, 2025 3:15pm
1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
portal Skipped Skipped Oct 30, 2025 3:15pm

@comp-ai-code-review
Copy link

comp-ai-code-review bot commented Oct 30, 2025
edited
Loading

🔒 Comp AI - Security Review

🔴 Risk Level: HIGH

No OSV CVEs found in scanned packages; ResultsView.tsx exposes scanAccessToken to the browser and renders raw/unvalidated provider errors and findings.

📦 Dependency Vulnerabilities

✅ No known vulnerabilities detected in dependencies.

🛡️ Code Security Analysis

View 1 file(s) with issues

🔴 apps/app/src/app/(app)/[orgId]/cloud-tests/components/ResultsView.tsx (HIGH Risk)

# Issue Risk Level
1 scanAccessToken exposed to browser via props/useRealtimeRun HIGH
2 Raw provider error messages rendered to UI (sensitive info leak) HIGH
3 Unvalidated findings data rendered in client (potential injection or info leak) HIGH

Recommendations:

  1. Do not pass long-lived or privileged scan access tokens to the browser. Move scanning orchestration and provider access to a trusted server-side component or API. If client-side realtime functionality is required, use short-lived, narrowly-scoped, ephemeral tokens minted by the server.
  2. Avoid rendering raw provider error payloads to users. Replace detailed provider errors with a generic user-facing message (e.g., "An error occurred during the scan. Please try again.") and log the full error server-side for debugging. If parsing is required, extract only non-sensitive fields and redact any credentials, IDs, stack traces, or request/response bodies.
  3. Validate and normalize all findings on the server before returning them to the client. Only return minimal, sanitized fields necessary for the UI. On the client, escape/encode any user- or provider-controlled strings before inserting into the DOM. Avoid dangerouslySetInnerHTML; if rich content is required, sanitize it using a vetted library (e.g., DOMPurify) on the server or client prior to rendering.
  4. Adopt least-privilege access for scanning tokens (minimal scopes) and make them short-lived. Implement server-side auditing and monitoring of token use.
  5. Centralize error handling: detailed diagnostics and stack traces should remain server-side. Use correlation IDs to help users report issues without exposing internals.
  6. Add Content Security Policy (CSP) and other frontend hardening to mitigate impact of potential XSS, and ensure findings data is treated as untrusted input.

💡 Recommendations

View 3 recommendation(s)
  1. Remove scanAccessToken from client props/useRealtimeRun. Keep any long‑lived or privileged tokens out of ResultsView.tsx and perform scanning/authorization on a trusted server endpoint (or mint narrowly scoped, short‑lived tokens server‑side).
  2. Stop rendering raw provider error payloads from ResultsView.tsx. Replace with a generic user message and map/log detailed provider errors server‑side; ensure any displayed error fields are explicitly whitelisted and redacted of IDs, stack traces, and request/response bodies.
  3. Validate and sanitize all findings before inserting into the DOM in ResultsView.tsx. Escape or encode provider/user‑controlled strings, avoid dangerouslySetInnerHTML, and only render minimal, vetted fields. If rich HTML must be shown, sanitize it with a vetted sanitizer prior to render.

Powered by Comp AI - AI that handles compliance for you. Reviewed Oct 30, 2025

@Alex-Alaniz
fix(cloud-tests): update propagation delay timing to 24-48 hours
b0e10c1 
Updated propagation delay messaging from 12-24 hours to 24-48 hours
to better reflect real-world cloud security service propagation times.
Also removed "or run another scan" text as rescanning doesn't affect
propagation delays.
@vercel vercel bot temporarily deployed to Preview – portal October 30, 2025 14:59 Inactive
@vercel vercel bot temporarily deployed to Preview – portal October 30, 2025 15:11 Inactive
@Marfuen Marfuen merged commit 9abfc4a into main Oct 30, 2025
6 of 7 checks passed
@Marfuen Marfuen deleted the alex/cloud-tests-error-ux-improvements branch October 30, 2025 15:12
claudfuen pushed a commit that referenced this pull request Oct 30, 2025
@semantic-release-bot
chore(release): 1.56.5 [skip ci]
1945c9a 
## [1.56.5](v1.56.4...v1.56.5) (2025-10-30)

### Bug Fixes

* **cloud-tests:** improve error messages and user feedback ([#1703](#1703)) ([9abfc4a](9abfc4a))
@claudfuen
Copy link
Contributor

claudfuen commented Oct 30, 2025

🎉 This PR is included in version 1.56.5 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Marfuen Marfuen Marfuen approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Alex-Alaniz @claudfuen @Marfuen