UNPKG

@sentry/core

Version:

Base implementation for all Sentry JavaScript SDKs

github.com/getsentry/sentry-javascript/tree/master/packages/core

getsentry/sentry-javascript

73 lines (60 loc) 2.25 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
import { getEnvelopeEndpointWithUrlEncodedAuth } from '../api.js'; import { debug } from './debug-logger.js'; import { makeDsn } from './dsn.js'; import { parseEnvelope } from './envelope.js'; /** * Core Sentry tunnel handler - framework agnostic. * * Validates the envelope DSN against allowed DSNs, then forwards the * envelope to the Sentry ingest endpoint. * * @returns A `Response` — either the upstream Sentry response on success, or an error response. */ async function handleTunnelRequest(options) { const { request, allowedDsns } = options; if (allowedDsns.length === 0) { return new Response('Tunnel not configured', { status: 500 }); } const body = new Uint8Array(await request.arrayBuffer()); let envelopeHeader; try { [envelopeHeader] = parseEnvelope(body); } catch { return new Response('Invalid envelope', { status: 400 }); } if (!envelopeHeader) { return new Response('Invalid envelope: missing header', { status: 400 }); } const dsn = envelopeHeader.dsn; if (!dsn) { return new Response('Invalid envelope: missing DSN', { status: 400 }); } // SECURITY: Validate that the envelope DSN matches one of the allowed DSNs // This prevents SSRF attacks where attackers send crafted envelopes // with malicious DSNs pointing to arbitrary hosts const isAllowed = allowedDsns.some(allowed => allowed === dsn); if (!isAllowed) { debug.warn(`Sentry tunnel: rejected request with unauthorized DSN (${dsn})`); return new Response('DSN not allowed', { status: 403 }); } const dsnComponents = makeDsn(dsn); if (!dsnComponents) { debug.warn(`Could not extract DSN Components from: ${dsn}`); return new Response('Invalid DSN', { status: 403 }); } const sentryIngestUrl = getEnvelopeEndpointWithUrlEncodedAuth(dsnComponents); try { return await fetch(sentryIngestUrl, { method: 'POST', headers: { 'Content-Type': 'application/x-sentry-envelope', }, body, }); } catch (error) { debug.error('Sentry tunnel: failed to forward envelope', error); return new Response('Failed to forward envelope to Sentry', { status: 500 }); } } export { handleTunnelRequest }; //# sourceMappingURL=tunnel.js.map