fix(faro/receiver): not download source map if configure `download=fa…

…lse` (#6686) Signed-off-by: hainenber <[email protected]> Co-authored-by: Paschalis Tsilias <[email protected]>
grafana · Apr 3, 2024 · 633ad9d · 633ad9d
1 parent 6428b69
commit 633ad9d
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -60,6 +60,9 @@ Main (unreleased)
 
 - Fix an issue where JSON string array elements were not parsed correctly in `loki.source.cloudflare`. (@thampiotr)
 
+
+- Fix SSRF vulnerability in `faro.receiver` by disabling source map download. (@hainenber)
+
 - Fix an issue where the azure exporter was not correctly gathering subscription scoped metrics when only one region was configured (@kgeckhart)
 
 - Update gcp_exporter to a newer version with a patch for incorrect delta histograms (@kgeckhart)

diff --git a/internal/component/faro/receiver/sourcemaps.go b/internal/component/faro/receiver/sourcemaps.go
@@ -172,10 +172,8 @@ func (store *sourceMapsStoreImpl) getSourceMapContent(sourceURL string, release
 		}
 	}
 
-	// Attempt to download the sourcemap.
-	//
-	// TODO(rfratto): check if downloading is enabled.
-	if strings.HasPrefix(sourceURL, "http") && urlMatchesOrigins(sourceURL, store.args.DownloadFromOrigins) {
+	// Attempt to download the sourcemap if enabled.
+	if strings.HasPrefix(sourceURL, "http") && urlMatchesOrigins(sourceURL, store.args.DownloadFromOrigins) && store.args.Download {
 		return store.downloadSourceMapContent(sourceURL)
 	}
 	return nil, "", nil

diff --git a/internal/component/faro/receiver/sourcemaps_test.go b/internal/component/faro/receiver/sourcemaps_test.go
@@ -349,6 +349,88 @@ func Test_sourceMapsStoreImpl_ReadFromFileSystemAndDownload(t *testing.T) {
 	require.Equal(t, expect, actual)
 }
 
+func Test_sourceMapsStoreImpl_ReadFromFileSystemAndNotDownloadIfDisabled(t *testing.T) {
+	var (
+		logger = util.TestLogger(t)
+
+		httpClient = &mockHTTPClient{
+			responses: []struct {
+				*http.Response
+				error
+			}{
+				{newResponseFromTestData(t, "foo.js"), nil},
+				{newResponseFromTestData(t, "foo.js.map"), nil},
+			},
+		}
+
+		fileService = &mockFileService{
+			files: map[string][]byte{
+				filepath.FromSlash("/var/build/latest/foo.js.map"): loadTestData(t, "foo.js.map"),
+			},
+		}
+
+		store = newSourceMapsStore(
+			logger,
+			SourceMapsArguments{
+				Download:            false,
+				DownloadFromOrigins: []string{"*"},
+				Locations: []LocationArguments{
+					{
+						MinifiedPathPrefix: "http://foo.com/",
+						Path:               filepath.FromSlash("/var/build/latest/"),
+					},
+				},
+			},
+			newSourceMapMetrics(prometheus.NewRegistry()),
+			httpClient,
+			fileService,
+		)
+	)
+
+	expect := &payload.Exception{
+		Stacktrace: &payload.Stacktrace{
+			Frames: []payload.Frame{
+				{
+					Colno:    37,
+					Filename: "/__parcel_source_root/demo/src/actions.ts",
+					Function: "?",
+					Lineno:   6,
+				},
+				{
+					Colno:    5,
+					Filename: "http://bar.com/foo.js",
+					Function: "callUndefined",
+					Lineno:   6,
+				},
+			},
+		},
+	}
+
+	actual := transformException(logger, store, &payload.Exception{
+		Stacktrace: &payload.Stacktrace{
+			Frames: []payload.Frame{
+				{
+					Colno:    6,
+					Filename: "http://foo.com/foo.js",
+					Function: "eval",
+					Lineno:   5,
+				},
+				{
+					Colno:    5,
+					Filename: "http://bar.com/foo.js",
+					Function: "callUndefined",
+					Lineno:   6,
+				},
+			},
+		},
+	}, "123")
+
+	require.Equal(t, []string{filepath.FromSlash("/var/build/latest/foo.js.map")}, fileService.stats)
+	require.Equal(t, []string{filepath.FromSlash("/var/build/latest/foo.js.map")}, fileService.reads)
+	require.Nil(t, httpClient.requests)
+	require.Equal(t, expect, actual)
+}
+
 func Test_sourceMapsStoreImpl_FilepathSanitized(t *testing.T) {
 	var (
 		logger = util.TestLogger(t)