sentry-electron
sentry-electron copied to clipboard
getsentry
Enabling the ANR feature caused the debug main process function to become inoperative
Is there an existing issue for this?
- [X] I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
- [X] I have reviewed the documentation https://docs.sentry.io/
- [X] I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases
How do you use Sentry?
Sentry Saas (sentry.io)
Electron SDK Version
4.24.0
Electron Version
27.2.0
What platform are you using?
None
Link to Sentry event
No response
Steps to Reproduce
- enable sentry main process ANR detection
- kill -sigusr1 mainProcessID
- open
chrome://inspectin chrome
Expected Result
There's a remote target
Actual Result
no remote target
After enabling the Sentry ANR feature, it automatically activates the debugger, which listens on a local port. It is likely that this is the cause.
I have a question: With the debugger opened by default, if someone knows this port number, they could remotely control the app. Isn't that unsafe?"
Hi @PayneFuRC thanks for writing in and apologies for the late reply! Unfortunately this seems to have slipped through since we've been busy with releasing version 8.0.0 of the JS SDKs.
@timfish would you mind taking a look at this when you have some time?
With the debugger opened by default, if someone knows this port number, they could remotely control the app. Isn't that unsafe?
The ANR feature in the main process uses the Node debugger to detect event loop blocking from a worker thread. I'll add to the docs to make this more clear.
127.0.0.1 is the localhost port. This means it's only accessible from the local machine.
This does mean that software running on the local machine can potentially open a debug connection to your app. Depending on the nature of your app this may be a security concern. Note that unless you set Electron Fuses, your app can be started with --inspect to expose the debugger.
