getsentry
Unexpected path info in stack.package after upgrade SDK to 8.36.0
Platform
macOS
Environment
Production
Installed
Manually
Version
8.36.0
Xcode Version
15.4
Did it work on previous versions?
Yes, 8.0.0
Steps to Reproduce
Stack. package shows unexpected local path infos after upgrade
- open discover
- add stack.package column
- see package with path infos
Expected Result
Actual Result
Are you willing to submit a PR?
No response
We fixed this as the package property should contain the full path of the assembly, see develop docs:
The "package" the frame was contained in. Depending on the platform, this can be different things. For C#, it can be the name of the assembly. For native code, it can be the path of the dynamic library, etc.
@ShiBody, you now actually get more information on the package. Can you explain why this is a problem for you?
We fixed this as the package property should contain the full path of the assembly, see develop docs:
The "package" the frame was contained in. Depending on the platform, this can be different things. For C#, it can be the name of the assembly. For native code, it can be the path of the dynamic library, etc.
@ShiBody, you now actually get more information on the package. Can you explain why this is a problem for you?
Hi @philipphofmann , this path contains some sensitive info of our app, which may cause security risks.
@ShiBody, you can shorten the paths in beforeSend by modifying the event.stacktrace or event.threads. Would that work for you?
Since this is for macOS, and it's exposing the user name, we should filter this out.
For now you can use @philipphofmann’s suggestion to remove it with the beforeSend option.
@ShiBody, you can shorten the paths in
beforeSendby modifying theevent.stacktraceorevent.threads. Would that work for you?
Hi @philipphofmann Thank you for the suggestion. I have tried to remove path and rewrite package with following code, but it failed. Could you help me to check if these changes are right?
options.beforeSend = ^SentryEvent * _Nullable(SentryEvent * _Nonnull event) {
for(SentryThread * _Nonnull thread in [event threads])
{
SentryStacktrace * _Nonnull stacktrace = [thread stacktrace];
auto frames = [stacktrace frames];
if (!frames)
{
continue;
}
for (SentryFrame * _Nonnull frame in frames)
{
auto package = [frame package];
if (!package || ![package isKindOfClass:[NSMutableString class]])
{
continue;
}
auto packageName = [package lastPathComponent];
if(packageName && packageName.length > 0)
{
[frame setPackage:packageName];
}
}
}
};
The screenshot is debug info fom my Xcode, which showed that i rewrote package successfully.
However, I could still see full path in Sentry stack.package as the following screenshot.
Did my codes do something wrong?
You still have assign the frames back to the stacktrace and back to the thread and then back to the event. Furthermore, you have to return the event in the callback. Then it should work.
@philipphofmann It works when i rewrite codefile in debugMeta. It's a pointer no need to write back all values... Still hope you could at least provide a toggle in options for uses to choose if expose full path or not. Not only user name but also path in app are sensitive information.
I'm happy that it works @ShiBody, but we should still fix this on our end. We don't need to provide a toggle. Trimming these paths on macOS should be the default behaviour.