From 633ad9d4125b8d227e44a3a020a1dd8187456541 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90=E1=BB=97=20Tr=E1=BB=8Dng=20H=E1=BA=A3i?= <41283691+hainenber@users.noreply.github.com> Date: Wed, 3 Apr 2024 21:08:39 +0700 Subject: [PATCH] fix(faro/receiver): not download source map if configure `download=false` (#6686) Signed-off-by: hainenber Co-authored-by: Paschalis Tsilias --- CHANGELOG.md | 3 + .../component/faro/receiver/sourcemaps.go | 6 +- .../faro/receiver/sourcemaps_test.go | 82 +++++++++++++++++++ 3 files changed, 87 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ec8f42a47ae2..55c75ad9fdf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -60,6 +60,9 @@ Main (unreleased) - Fix an issue where JSON string array elements were not parsed correctly in `loki.source.cloudflare`. (@thampiotr) + +- Fix SSRF vulnerability in `faro.receiver` by disabling source map download. (@hainenber) + - Fix an issue where the azure exporter was not correctly gathering subscription scoped metrics when only one region was configured (@kgeckhart) - Update gcp_exporter to a newer version with a patch for incorrect delta histograms (@kgeckhart) diff --git a/internal/component/faro/receiver/sourcemaps.go b/internal/component/faro/receiver/sourcemaps.go index 5dc1e7643f32..c2c099d5c7cb 100644 --- a/internal/component/faro/receiver/sourcemaps.go +++ b/internal/component/faro/receiver/sourcemaps.go @@ -172,10 +172,8 @@ func (store *sourceMapsStoreImpl) getSourceMapContent(sourceURL string, release } } - // Attempt to download the sourcemap. - // - // TODO(rfratto): check if downloading is enabled. - if strings.HasPrefix(sourceURL, "http") && urlMatchesOrigins(sourceURL, store.args.DownloadFromOrigins) { + // Attempt to download the sourcemap if enabled. + if strings.HasPrefix(sourceURL, "http") && urlMatchesOrigins(sourceURL, store.args.DownloadFromOrigins) && store.args.Download { return store.downloadSourceMapContent(sourceURL) } return nil, "", nil diff --git a/internal/component/faro/receiver/sourcemaps_test.go b/internal/component/faro/receiver/sourcemaps_test.go index 6ad1f7fcdd33..b154820bfe67 100644 --- a/internal/component/faro/receiver/sourcemaps_test.go +++ b/internal/component/faro/receiver/sourcemaps_test.go @@ -349,6 +349,88 @@ func Test_sourceMapsStoreImpl_ReadFromFileSystemAndDownload(t *testing.T) { require.Equal(t, expect, actual) } +func Test_sourceMapsStoreImpl_ReadFromFileSystemAndNotDownloadIfDisabled(t *testing.T) { + var ( + logger = util.TestLogger(t) + + httpClient = &mockHTTPClient{ + responses: []struct { + *http.Response + error + }{ + {newResponseFromTestData(t, "foo.js"), nil}, + {newResponseFromTestData(t, "foo.js.map"), nil}, + }, + } + + fileService = &mockFileService{ + files: map[string][]byte{ + filepath.FromSlash("/var/build/latest/foo.js.map"): loadTestData(t, "foo.js.map"), + }, + } + + store = newSourceMapsStore( + logger, + SourceMapsArguments{ + Download: false, + DownloadFromOrigins: []string{"*"}, + Locations: []LocationArguments{ + { + MinifiedPathPrefix: "http://foo.com/", + Path: filepath.FromSlash("/var/build/latest/"), + }, + }, + }, + newSourceMapMetrics(prometheus.NewRegistry()), + httpClient, + fileService, + ) + ) + + expect := &payload.Exception{ + Stacktrace: &payload.Stacktrace{ + Frames: []payload.Frame{ + { + Colno: 37, + Filename: "/__parcel_source_root/demo/src/actions.ts", + Function: "?", + Lineno: 6, + }, + { + Colno: 5, + Filename: "http://bar.com/foo.js", + Function: "callUndefined", + Lineno: 6, + }, + }, + }, + } + + actual := transformException(logger, store, &payload.Exception{ + Stacktrace: &payload.Stacktrace{ + Frames: []payload.Frame{ + { + Colno: 6, + Filename: "http://foo.com/foo.js", + Function: "eval", + Lineno: 5, + }, + { + Colno: 5, + Filename: "http://bar.com/foo.js", + Function: "callUndefined", + Lineno: 6, + }, + }, + }, + }, "123") + + require.Equal(t, []string{filepath.FromSlash("/var/build/latest/foo.js.map")}, fileService.stats) + require.Equal(t, []string{filepath.FromSlash("/var/build/latest/foo.js.map")}, fileService.reads) + require.Nil(t, httpClient.requests) + require.Equal(t, expect, actual) +} + func Test_sourceMapsStoreImpl_FilepathSanitized(t *testing.T) { var ( logger = util.TestLogger(t)