@sentry/browser is failing security scans due to remote code injection risk

[gajus]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/browser

SDK Version

9.43.0

Framework Version

No response

Link to Sentry event

No response

Reproduction Example/SDK Setup

No response

Steps to Reproduce

We are using Sentry in a browser extension.

Our recent submission to Chrome store was rejected due to the risk of remote code injection pointing to the following code snippet:

 static/background/index.js: r = t ? .getOptions() ? .cdnBaseUrl || "https://browser.sentry-cdn.com"; return new URL(`/${(0,s.SDK_VERSION)}/${e}.min.js`, r).toString()

Expected Result

@sentry/browser should not include the ability to inject remote code.

Actual Result

@sentry/browser includes the ability to execute remote code.

[linear]

JS-810 @sentry/browser is failing security scans due to remote code injection risk

[gajus]

We worked around the issue by patching the dependency:

diff --git a/build/npm/cjs/utils/lazyLoadIntegration.js b/build/npm/cjs/utils/lazyLoadIntegration.js
index 744ce4bfd35f17722ce8e303522c14ec6a3332d5..c11173662a413ccac0ac16c7f2f0c84210e31aba 100644
--- a/build/npm/cjs/utils/lazyLoadIntegration.js
+++ b/build/npm/cjs/utils/lazyLoadIntegration.js
@@ -1,102 +1,11 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
-const core = require('@sentry/core');
-const helpers = require('../helpers.js');
-
-// This is a map of integration function method to bundle file name.
-const LazyLoadableIntegrations = {
-  replayIntegration: 'replay',
-  replayCanvasIntegration: 'replay-canvas',
-  feedbackIntegration: 'feedback',
-  feedbackModalIntegration: 'feedback-modal',
-  feedbackScreenshotIntegration: 'feedback-screenshot',
-  captureConsoleIntegration: 'captureconsole',
-  contextLinesIntegration: 'contextlines',
-  linkedErrorsIntegration: 'linkederrors',
-  dedupeIntegration: 'dedupe',
-  extraErrorDataIntegration: 'extraerrordata',
-  graphqlClientIntegration: 'graphqlclient',
-  httpClientIntegration: 'httpclient',
-  reportingObserverIntegration: 'reportingobserver',
-  rewriteFramesIntegration: 'rewriteframes',
-  browserProfilingIntegration: 'browserprofiling',
-  moduleMetadataIntegration: 'modulemetadata',
-} ;
-
-const WindowWithMaybeIntegration = helpers.WINDOW
-
-;
-
-/**
- * Lazy load an integration from the CDN.
- * Rejects if the integration cannot be loaded.
- */
-async function lazyLoadIntegration(
-  name,
-  scriptNonce,
-) {
-  const bundle = LazyLoadableIntegrations[name];
-
-  // `window.Sentry` is only set when using a CDN bundle, but this method can also be used via the NPM package
-  const sentryOnWindow = (WindowWithMaybeIntegration.Sentry = WindowWithMaybeIntegration.Sentry || {});
-
-  if (!bundle) {
-    throw new Error(`Cannot lazy load integration: ${name}`);
-  }
-
-  // Bail if the integration already exists
-  const existing = sentryOnWindow[name];
-  // The `feedbackIntegration` is loaded by default in the CDN bundles,
-  // so we need to differentiate between the real integration and the shim.
-  // if only the shim exists, we still want to lazy load the real integration.
-  if (typeof existing === 'function' && !('_isShim' in existing)) {
-    return existing;
-  }
-
-  const url = getScriptURL(bundle);
-  const script = helpers.WINDOW.document.createElement('script');
-  script.src = url;
-  script.crossOrigin = 'anonymous';
-  script.referrerPolicy = 'strict-origin';
-
-  if (scriptNonce) {
-    script.setAttribute('nonce', scriptNonce);
-  }
-
-  const waitForLoad = new Promise((resolve, reject) => {
-    script.addEventListener('load', () => resolve());
-    script.addEventListener('error', reject);
-  });
-
-  const currentScript = helpers.WINDOW.document.currentScript;
-  const parent = helpers.WINDOW.document.body || helpers.WINDOW.document.head || currentScript?.parentElement;
-
-  if (parent) {
-    parent.appendChild(script);
-  } else {
-    throw new Error(`Could not find parent element to insert lazy-loaded ${name} script`);
-  }
-
-  try {
-    await waitForLoad;
-  } catch {
-    throw new Error(`Error when loading integration: ${name}`);
-  }
-
-  const integrationFn = sentryOnWindow[name];
-
-  if (typeof integrationFn !== 'function') {
-    throw new Error(`Could not load integration: ${name}`);
-  }
-
-  return integrationFn;
-}
-
-function getScriptURL(bundle) {
-  const client = core.getClient();
-  const baseURL = client?.getOptions()?.cdnBaseUrl || 'https://browser.sentry-cdn.com';
-
-  return new URL(`/${core.SDK_VERSION}/${bundle}.min.js`, baseURL).toString();
+async function lazyLoadIntegration() {
+  /**
+   * @see https://contra-work.slack.com/archives/C091VTMULBX/p1753942451899869
+   * @see https://github.com/getsentry/sentry-javascript/issues/17267
+   */
+  throw new Error('Code removed due to remote injection risk');
 }
 
 exports.lazyLoadIntegration = lazyLoadIntegration;
diff --git a/build/npm/esm/utils/lazyLoadIntegration.js b/build/npm/esm/utils/lazyLoadIntegration.js
index 7e3944fb657ae1771c1d60cf78f7eff11f81cef6..0617b64287499886f79e569d30c5b74693565cc8 100644
--- a/build/npm/esm/utils/lazyLoadIntegration.js
+++ b/build/npm/esm/utils/lazyLoadIntegration.js
@@ -1,100 +1,9 @@
-import { getClient, SDK_VERSION } from '@sentry/core';
-import { WINDOW } from '../helpers.js';
-
-// This is a map of integration function method to bundle file name.
-const LazyLoadableIntegrations = {
-  replayIntegration: 'replay',
-  replayCanvasIntegration: 'replay-canvas',
-  feedbackIntegration: 'feedback',
-  feedbackModalIntegration: 'feedback-modal',
-  feedbackScreenshotIntegration: 'feedback-screenshot',
-  captureConsoleIntegration: 'captureconsole',
-  contextLinesIntegration: 'contextlines',
-  linkedErrorsIntegration: 'linkederrors',
-  dedupeIntegration: 'dedupe',
-  extraErrorDataIntegration: 'extraerrordata',
-  graphqlClientIntegration: 'graphqlclient',
-  httpClientIntegration: 'httpclient',
-  reportingObserverIntegration: 'reportingobserver',
-  rewriteFramesIntegration: 'rewriteframes',
-  browserProfilingIntegration: 'browserprofiling',
-  moduleMetadataIntegration: 'modulemetadata',
-} ;
-
-const WindowWithMaybeIntegration = WINDOW
-
-;
-
-/**
- * Lazy load an integration from the CDN.
- * Rejects if the integration cannot be loaded.
- */
-async function lazyLoadIntegration(
-  name,
-  scriptNonce,
-) {
-  const bundle = LazyLoadableIntegrations[name];
-
-  // `window.Sentry` is only set when using a CDN bundle, but this method can also be used via the NPM package
-  const sentryOnWindow = (WindowWithMaybeIntegration.Sentry = WindowWithMaybeIntegration.Sentry || {});
-
-  if (!bundle) {
-    throw new Error(`Cannot lazy load integration: ${name}`);
-  }
-
-  // Bail if the integration already exists
-  const existing = sentryOnWindow[name];
-  // The `feedbackIntegration` is loaded by default in the CDN bundles,
-  // so we need to differentiate between the real integration and the shim.
-  // if only the shim exists, we still want to lazy load the real integration.
-  if (typeof existing === 'function' && !('_isShim' in existing)) {
-    return existing;
-  }
-
-  const url = getScriptURL(bundle);
-  const script = WINDOW.document.createElement('script');
-  script.src = url;
-  script.crossOrigin = 'anonymous';
-  script.referrerPolicy = 'strict-origin';
-
-  if (scriptNonce) {
-    script.setAttribute('nonce', scriptNonce);
-  }
-
-  const waitForLoad = new Promise((resolve, reject) => {
-    script.addEventListener('load', () => resolve());
-    script.addEventListener('error', reject);
-  });
-
-  const currentScript = WINDOW.document.currentScript;
-  const parent = WINDOW.document.body || WINDOW.document.head || currentScript?.parentElement;
-
-  if (parent) {
-    parent.appendChild(script);
-  } else {
-    throw new Error(`Could not find parent element to insert lazy-loaded ${name} script`);
-  }
-
-  try {
-    await waitForLoad;
-  } catch {
-    throw new Error(`Error when loading integration: ${name}`);
-  }
-
-  const integrationFn = sentryOnWindow[name];
-
-  if (typeof integrationFn !== 'function') {
-    throw new Error(`Could not load integration: ${name}`);
-  }
-
-  return integrationFn;
-}
-
-function getScriptURL(bundle) {
-  const client = getClient();
-  const baseURL = client?.getOptions()?.cdnBaseUrl || 'https://browser.sentry-cdn.com';
-
-  return new URL(`/${SDK_VERSION}/${bundle}.min.js`, baseURL).toString();
+async function lazyLoadIntegration() {
+  /**
+   * @see https://contra-work.slack.com/archives/C091VTMULBX/p1753942451899869
+   * @see https://github.com/getsentry/sentry-javascript/issues/17267
+   */
+  throw new Error('Code removed due to remote injection risk');
 }
 
 export { lazyLoadIntegration };

[AbhiPrasad]

lazyLoadIntegration should only be used if you are using the feedback integration. Otherwise it should be treeshaken out.

Are you using feedback?

[AbhiPrasad]

Ah I guess the browser SDK also exports this, but that should be treeshaken out too if it's not being used.

[Lms24]

This has been reported multiple times (#14010, #14579). So far this always seemed to be related to bundlers not treeshaking out the lazyloadIntegration API. I suggest checking tree shaking settings.

[gajus]

Unfortunately, it appears like in this particular project we do not have the capability to use tree-shaking.

PlasmoHQ/plasmo#1302

I am not super familiar with the Parcel ecosystem, but nothing came up with a few searches that I did.

Regardless, I do think that not including any paths that can lead to remote code execution to the SDK by default is desirable.