Summary
The Terser minification configuration in rollup.config.js does not strip console.debug() or console.error() calls from the production bundle. This causes internal API response structures and processed data models to be logged to the browser console in production, aiding reconnaissance by revealing backend field naming conventions and response payloads that are not displayed in the UI.
Affected Files
src/asset/asset-service.ts line 24: console.debug(data) logs the full raw API response from the captureEyeData endpoint, exposing internal field names like _api_c2_field, _api_c2_value, _api_c2_iconSource, fullAssetTree, and _api_c2_assetTree.* keys.src/asset/asset-service.ts line 65: console.debug(assetModel) logs the entire processed AssetModel object including creatorWallet, initialTransaction, and backend-specific fields.src/asset/asset-service.ts lines 17, 86-88: console.error() calls in error handlers expose backend error response structure (errorResponse.message, errorResponse.error.type).src/modal/interaction-tracker.ts lines 59, 87, 101: Additional console calls expose token lifecycle and event API error details.rollup.config.js lines 27-36: Terser config has no drop_console or pure_funcs option to strip these statements.
Impact
- Information disclosure: Internal API field naming conventions (
_api_c2_*, fullAssetTree.*) are visible to any visitor who opens DevTools, revealing backend data model structure that is not part of the public-facing UI.
- Error response leakage: Backend error types and messages are logged, potentially revealing server-side implementation details.
- Bundle size: Unnecessary console calls add to the production bundle size.
Suggested Fix
Add console stripping to the Terser configuration in rollup.config.js:
terser({
ecma: 2021,
module: true,
warnings: true,
mangle: {
properties: {
regex: /^__/,
},
},
compress: {
pure_funcs: ['console.debug'], // Strip debug logs
// Or use drop_console: true to strip all console calls
},
}),Alternatively, replace console.debug calls with a conditional logger that is tree-shaken in production builds.
Summary
The Terser minification configuration in
rollup.config.jsdoes not stripconsole.debug()orconsole.error()calls from the production bundle. This causes internal API response structures and processed data models to be logged to the browser console in production, aiding reconnaissance by revealing backend field naming conventions and response payloads that are not displayed in the UI.Affected Files
src/asset/asset-service.tsline 24:console.debug(data)logs the full raw API response from thecaptureEyeDataendpoint, exposing internal field names like_api_c2_field,_api_c2_value,_api_c2_iconSource,fullAssetTree, and_api_c2_assetTree.*keys.src/asset/asset-service.tsline 65:console.debug(assetModel)logs the entire processedAssetModelobject includingcreatorWallet,initialTransaction, and backend-specific fields.src/asset/asset-service.tslines 17, 86-88:console.error()calls in error handlers expose backend error response structure (errorResponse.message,errorResponse.error.type).src/modal/interaction-tracker.tslines 59, 87, 101: Additional console calls expose token lifecycle and event API error details.rollup.config.jslines 27-36: Terser config has nodrop_consoleorpure_funcsoption to strip these statements.Impact
_api_c2_*,fullAssetTree.*) are visible to any visitor who opens DevTools, revealing backend data model structure that is not part of the public-facing UI.Suggested Fix
Add console stripping to the Terser configuration in
rollup.config.js:Alternatively, replace
console.debugcalls with a conditional logger that is tree-shaken in production builds.