Integrate new cross-platform symbolicator #1800

detj · 2025-02-11T11:56:52Z

Summary

This PR introduces a new cross-platform symbolicator service and replaces the old symbolication pipeline with a new one.

Tasks

The best way to fix the problem is to avoid logging sensitive information such as SecretKey and AccessKey. Instead, we can log a message indicating that the sources were processed without including the sensitive details. This can be achieved by removing the logging of the sources variable and replacing it with a more generic log message.

To implement the changes, we need to modify the makeRequest method in the backend/api/symbolicator/symbolicator.go file. Specifically, we will remove the line that logs the sources variable and replace it with a more generic log message.

Signed-off-by: detj <[email protected]>

- add support for uploading multiple mapping files for iOS dSYM files Signed-off-by: detj <[email protected]>

backend/api/measure/mapping.go

 	code = http.StatusBadRequest
+	maxSize := int64(server.Server.Config.MappingFileMaxSize)


Signed-off-by: detj <[email protected]>

- update sessionator record command to support uploading multiple mapping files - fix an issue where mapping type was not being read properly - fix an issue where optional build size was not being written properly Signed-off-by: detj <[email protected]>

Signed-off-by: detj <[email protected]>

self-host/sessionator/cmd/record.go

+		}
+
+		mappingFilePath := filepath.Join(outputDir, appUniqueID, versionName, versionCode, filename)
+		if err := os.MkdirAll(filepath.Dir(mappingFilePath), 0755); err != nil {


To fix the problem, we need to validate the appUniqueID, versionName, and versionCode values to ensure they do not contain any path traversal characters or sequences. This can be done by checking for the presence of path separators ("/" or "\") and ".." sequences, and rejecting the input if any are found. Additionally, we should ensure that the resolved path is within a specific safe directory.

self-host/sessionator/cmd/record.go

-		defer enc.Close()
-		_, err = io.Copy(enc, file)
+
+		out, err := os.Create(mappingFilePath)


To fix the problem, we need to validate the user input before using it to construct the file path. Specifically, we should ensure that the appUniqueID, versionName, and versionCode values do not contain any path separators or ".." sequences. This can be done by checking for the presence of these characters and rejecting the input if any are found.

self-host/sessionator/cmd/record.go

-	buildFilePath := filepath.Join(outputDir, appUniqueID, versionName, "build.toml")
-	out, err = os.Create(buildFilePath)
+	buildFilePath := filepath.Join(outputDir, appUniqueID, versionName, versionCode, "build.toml")
+	if err := os.MkdirAll(filepath.Dir(buildFilePath), 0755); err != nil {


To fix the problem, we need to ensure that the user-provided appUniqueID is validated before being used to construct file paths. We can achieve this by checking that the appUniqueID does not contain any path separators or parent directory references. Additionally, we should ensure that the resolved path is within a specific safe directory.

Validate the appUniqueID to ensure it does not contain any path separators or parent directory references.

Ensure that the resolved path is within a specific safe directory.

self-host/sessionator/cmd/record.go

+		})
+		return
+	}
+	out, err := os.Create(buildFilePath)


To fix the problem, we need to validate the user input before using it to construct a file path. Specifically, we should ensure that the appUniqueID does not contain any path separators or parent directory references. This can be done by checking for the presence of "/" or "\" characters and ".." sequences in the appUniqueID value. If any of these are found, we should reject the input and return an error response.

- add environment variable for symbolicator origin in server config Signed-off-by: detj <[email protected]>

Signed-off-by: detj <[email protected]>

detj added 10 commits October 11, 2024 10:06

chore(backend): add new migrator service

ab8c29d

- add a new migrator service - setup a common migration infrastructure for migrating objects - add a journal component to keep track of migrations Signed-off-by: detj <[email protected]>

chore(backend): update journal and add volume to migrator

1b1e6b5

Signed-off-by: detj <[email protected]>

chore: merge branch 'main' into integrate-symbolicator

cb85758

chore: merge branch 'main' into integrate-symbolicator

0b70276

chore: merge branch 'main' into integrate-symbolicator

989856f

chore: merge branch 'main' into integrate-symbolicator

39575f1

chore(backend): modify put builds api

c6cf47a

- modify builds api to process ios build mapping files - support both ios and android platform Signed-off-by: detj <[email protected]>

test(backend): add dif test

8060e00

- add tests for dsym debug information file processing Signed-off-by: detj <[email protected]>

chore(backend): update sessionator record

351d37a

Signed-off-by: detj <[email protected]>

chore(backend): symbolicator wip

07c1451

- integrate symbolicator service - figure out iOS symbolication - update sdk api docs fixes #1320 Signed-off-by: detj <[email protected]>

detj added feature new features backend backend related labels Feb 11, 2025

detj self-assigned this Feb 11, 2025

detj marked this pull request as draft February 11, 2025 11:57

github-advanced-security bot found potential problems Feb 11, 2025

View reviewed changes

detj added 3 commits February 13, 2025 11:54

chore(backend): add sleep functions to chrono

8d69ff8

Signed-off-by: detj <[email protected]>

chore(backend): add cache package

01641d5

Signed-off-by: detj <[email protected]>

docs(backend): update codec package docs

17e5a87

Signed-off-by: detj <[email protected]>

vercel bot deployed to Preview February 13, 2025 06:27 View deployment

chore(backend): add support for multiple mapping files

fd4f13f

- add support for uploading multiple mapping files for iOS dSYM files Signed-off-by: detj <[email protected]>

vercel bot deployed to Preview February 20, 2025 06:20 View deployment

github-advanced-security bot found potential problems Feb 20, 2025

View reviewed changes

chore(backend): add code comments

bcb1c06

Signed-off-by: detj <[email protected]>

vercel bot deployed to Preview February 20, 2025 09:39 View deployment

detj added 2 commits February 24, 2025 05:17

chore(backend): support multi dsym ingest

d662018

Signed-off-by: detj <[email protected]>

vercel bot deployed to Preview February 24, 2025 03:36 View deployment

github-advanced-security bot found potential problems Feb 24, 2025

View reviewed changes

chore(backend): add symbolicator origin in server config

75b08d4

- add environment variable for symbolicator origin in server config Signed-off-by: detj <[email protected]>

vercel bot deployed to Preview February 24, 2025 12:26 View deployment

detj added 2 commits February 24, 2025 17:56

chore(backend): remove unused code

4d764c8

Signed-off-by: detj <[email protected]>

test(backend): add test for lru cache

7a0eeb1

Signed-off-by: detj <[email protected]>

vercel bot deployed to Preview February 24, 2025 12:53 View deployment

chore(backend): modify events table to store binary images

2b88811

Signed-off-by: detj <[email protected]>

vercel bot deployed to Preview February 24, 2025 15:13 View deployment

@@ -307,2 +307,22 @@
+            	// Validate inputs to prevent path traversal
+            	if strings.Contains(appUniqueID, "/") || strings.Contains(appUniqueID, "\\") || strings.Contains(appUniqueID, "..") {
+            		c.JSON(http.StatusBadRequest, gin.H{
+            			"error": "Invalid app_unique_id",
+            		})
+            		return
+            	}
+            	if strings.Contains(versionName, "/") || strings.Contains(versionName, "\\") || strings.Contains(versionName, "..") {
+            		c.JSON(http.StatusBadRequest, gin.H{
+            			"error": "Invalid version_name",
+            		})
+            		return
+            	}
+            	if strings.Contains(versionCode, "/") || strings.Contains(versionCode, "\\") || strings.Contains(versionCode, "..") {
+            		c.JSON(http.StatusBadRequest, gin.H{
+            			"error": "Invalid version_code",
+            		})
+            		return
+            	}
             	if appUniqueID == "" {
@@ -375,3 +395,10 @@
             		mappingFilePath := filepath.Join(outputDir, appUniqueID, versionName, versionCode, filename)
-            		if err := os.MkdirAll(filepath.Dir(mappingFilePath), 0755); err != nil {
+            		absMappingFilePath, err := filepath.Abs(mappingFilePath)
+            		if err != nil || !strings.HasPrefix(absMappingFilePath, outputDir) {
+            			c.JSON(http.StatusBadRequest, gin.H{
+            				"error": "Invalid file path",
+            			})
+            			return
+            		}
+            		if err := os.MkdirAll(filepath.Dir(absMappingFilePath), 0755); err != nil {
             			c.JSON(http.StatusInternalServerError, gin.H{

@@ -303,4 +303,22 @@
             	appUniqueID := c.Request.FormValue("app_unique_id")
+            	if strings.Contains(appUniqueID, "/") || strings.Contains(appUniqueID, "\\") || strings.Contains(appUniqueID, "..") {
+            		c.JSON(http.StatusBadRequest, gin.H{
+            			"error": "Invalid app_unique_id",
+            		})
+            		return
+            	}
             	versionName := c.Request.FormValue("version_name")
+            	if strings.Contains(versionName, "/") || strings.Contains(versionName, "\\") || strings.Contains(versionName, "..") {
+            		c.JSON(http.StatusBadRequest, gin.H{
+            			"error": "Invalid version_name",
+            		})
+            		return
+            	}
             	versionCode := c.Request.FormValue("version_code")
+            	if strings.Contains(versionCode, "/") || strings.Contains(versionCode, "\\") || strings.Contains(versionCode, "..") {
+            		c.JSON(http.StatusBadRequest, gin.H{
+            			"error": "Invalid version_code",
+            		})
+            		return
+            	}
             	mappingType := c.Request.FormValue("mapping_type")

@@ -303,2 +303,8 @@
             	appUniqueID := c.Request.FormValue("app_unique_id")
+            	if strings.Contains(appUniqueID, "/") || strings.Contains(appUniqueID, "\\") || strings.Contains(appUniqueID, "..") {
+            		c.JSON(http.StatusBadRequest, gin.H{
+            			"error": "Invalid app_unique_id",
+            		})
+            		return
+            	}
             	versionName := c.Request.FormValue("version_name")
@@ -412,3 +418,10 @@
             	buildFilePath := filepath.Join(outputDir, appUniqueID, versionName, versionCode, "build.toml")
-            	if err := os.MkdirAll(filepath.Dir(buildFilePath), 0755); err != nil {
+            	absBuildFilePath, err := filepath.Abs(buildFilePath)
+            	if err != nil || !strings.HasPrefix(absBuildFilePath, outputDir) {
+            		c.JSON(http.StatusBadRequest, gin.H{
+            			"error": "Invalid build file path",
+            		})
+            		return
+            	}
+            	if err := os.MkdirAll(filepath.Dir(absBuildFilePath), 0755); err != nil {
             		c.JSON(http.StatusInternalServerError, gin.H{

@@ -313,2 +313,9 @@
             	}
+            	// Validate appUniqueID to ensure it does not contain any path separators or parent directory references
+            	if strings.Contains(appUniqueID, "/") || strings.Contains(appUniqueID, "\\") || strings.Contains(appUniqueID, "..") {
+            		c.JSON(http.StatusBadRequest, gin.H{
+            			"error": "Invalid app_unique_id",
+            		})
+            		return
+            	}
             	if versionName == "" {

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Integrate new cross-platform symbolicator #1800

Integrate new cross-platform symbolicator #1800

detj commented Feb 11, 2025 •

edited

Loading

vercel bot commented Feb 11, 2025 •

edited

Loading

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

+              			return
+              		}
+              		fmt.Println("sources:", string(sources))

@@ -59,3 +59,3 @@
-            		fmt.Println("sources:", string(sources))
+            		fmt.Println("sources processed successfully")
             	}

		code = http.StatusBadRequest
		maxSize := int64(server.Server.Config.MappingFileMaxSize)

Integrate new cross-platform symbolicator #1800

Are you sure you want to change the base?

Integrate new cross-platform symbolicator #1800

Conversation

detj commented Feb 11, 2025 • edited Loading

Summary

Tasks

See also

vercel bot commented Feb 11, 2025 • edited Loading

detj commented Feb 11, 2025 •

edited

Loading

vercel bot commented Feb 11, 2025 •

edited

Loading