fix(native): escape JSON attachments#1771
Open
jpnurmi wants to merge 2 commits into
Open
Conversation
File names and content types are arbitrary user-supplied strings that can contain characters that must be escaped in JSON.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit e319974. Configure here.
| _write(fd, header, (unsigned int)header_written); | ||
| _write(fd, "\n", 1); | ||
| #endif | ||
| sentry_free(header); |
There was a problem hiding this comment.
Partial headers on builder failure
Medium Severity
Replacing the fixed snprintf header with sentry__jsonwriter drops the old overflow guard and only treats a null header as failure. The JSON writer ignores sentry__stringbuilder append errors, so allocation pressure can yield a truncated item header that is still written and followed by attachment bytes, corrupting the crash envelope.
Reviewed by Cursor Bugbot for commit e319974. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Filenames and attachment/content types are arbitrary user-supplied strings that can contain characters that must be escaped in JSON.
JSON injection in crash daemon envelope headers via unescaped attachment filenames
Details
The write_attachment_to_envelope function constructs a JSON envelope item header using snprintf with %s interpolation for filename and content_type values. These originate from user-controlled API calls (sentry_attach_bytes, sentry_attachment_set_filename) with no validation. The values are properly JSON-escaped when serialized to the attachment list file via sentry_value_to_json, but after the crash daemon deserializes them with sentry__value_from_json and retrieves them with sentry_value_as_string, the raw unescaped strings are returned. Characters like double-quotes, backslashes, and newlines in filenames are interpolated verbatim into the JSON header, breaking the JSON structure. The normal envelope serialization path in sentry_envelope.c uses proper JSON writers, but the crash daemon duplicates this logic with raw snprintf.
Location
src/backends/native/sentry_crash_daemon.c:117
Impact
Attacker corrupts envelope structure causing misinterpretation of crash data
Reproduction steps
Recommended fix
Envelope item headers in the crash daemon must use proper JSON serialization (the existing sentry_jsonwriter) rather than raw snprintf interpolation, ensuring all string values are escaped.
Severity: MEDIUM
Status: Open
Category: Injection
Repository: getsentry/sentry-native
Branch: master