Merge remote-tracking branch 'origin' into feat/prioritize-component-name

Author: 0Calories

CHANGELOG.md

@@ -4,6 +4,14 @@
 
 - "You miss 100 percent of the chances you don't take. — Wayne Gretzky" — Michael Scott
 
+## 7.80.0
+
+- feat(astro): Add distributed tracing via `<meta>` tags (#9483)
+- feat(node): Capture internal server errors in trpc middleware (#9482)
+- feat(remix): Export a type to use for `MetaFunction` parameters (#9493)
+- fix(astro): Mark SDK package as Astro-external (#9509)
+- ref(nextjs): Don't initialize Server SDK during build (#9503)
+
 ## 7.79.0
 
 - feat(tracing): Add span `origin` to trace context (#9472)
@@ -24,7 +32,7 @@ This was possible by extensive use of tree shaking and a host of small changes t
 
 By using [tree shaking](https://docs.sentry.io/platforms/javascript/configuration/tree-shaking/) it is possible to shave up to 10 additional KB off the bundle.
 
-#### Other Changes
+### Other Changes
 
 - feat(astro): Add Sentry middleware (#9445)
 - feat(feedback): Add "outline focus" and "foreground hover" vars (#9462)
@@ -44,13 +52,18 @@ By using [tree shaking](https://docs.sentry.io/platforms/javascript/configuratio
 
 ## 7.77.0
 
+### Security Fixes
+
+- fix(nextjs): Match only numbers as orgid in tunnelRoute (#9416) (CVE-2023-46729)
+- fix(nextjs): Strictly validate tunnel target parameters (#9415) (CVE-2023-46729)
+
+### Other Changes
+
 - feat: Move LinkedErrors integration to @sentry/core (#9404)
 - feat(remix): Update sentry-cli version to ^2.21.2 (#9401)
 - feat(replay): Allow to treeshake & configure compression worker URL (#9409)
 - fix(angular-ivy): Adjust package entry points to support Angular 17 with SSR config (#9412)
 - fix(feedback): Fixing feedback import (#9403)
-- fix(nextjs): Match only numbers as orgid in tunnelRoute (#9416)
-- fix(nextjs): Strictly validate tunnel target parameters (#9415)
 - fix(utils): Avoid keeping a reference of last used event (#9387)
 
 ## 7.76.0

lerna.json

@@ -1,5 +1,5 @@
 {
   "$schema": "node_modules/lerna/schemas/lerna-schema.json",
-  "version": "7.79.0",
+  "version": "7.80.0",
   "npmClient": "yarn"
 }

packages/angular-ivy/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentry/angular-ivy",
-  "version": "7.79.0",
+  "version": "7.80.0",
   "description": "Official Sentry SDK for Angular with full Ivy Support",
   "repository": "git://github.com/getsentry/sentry-javascript.git",
   "homepage": "https://github.com/getsentry/sentry-javascript/tree/master/packages/angular-ivy",
@@ -21,9 +21,9 @@
     "rxjs": "^6.5.5 || ^7.x"
   },
   "dependencies": {
-    "@sentry/browser": "7.79.0",
-    "@sentry/types": "7.79.0",
-    "@sentry/utils": "7.79.0",
+    "@sentry/browser": "7.80.0",
+    "@sentry/types": "7.80.0",
+    "@sentry/utils": "7.80.0",
     "tslib": "^2.4.1"
   },
   "devDependencies": {

packages/angular/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentry/angular",
-  "version": "7.79.0",
+  "version": "7.80.0",
   "description": "Official Sentry SDK for Angular",
   "repository": "git://github.com/getsentry/sentry-javascript.git",
   "homepage": "https://github.com/getsentry/sentry-javascript/tree/master/packages/angular",
@@ -21,9 +21,9 @@
     "rxjs": "^6.5.5 || ^7.x"
   },
   "dependencies": {
-    "@sentry/browser": "7.79.0",
-    "@sentry/types": "7.79.0",
-    "@sentry/utils": "7.79.0",
+    "@sentry/browser": "7.80.0",
+    "@sentry/types": "7.80.0",
+    "@sentry/utils": "7.80.0",
     "tslib": "^2.4.1"
   },
   "devDependencies": {

packages/astro/README.md

@@ -64,8 +64,8 @@ import { sequence } from "astro:middleware";
 import * as Sentry from "@sentry/astro";
 
 export const onRequest = sequence(
-  Sentry.sentryMiddleware(),
-  // Add your other handlers after sentryMiddleware
+  Sentry.handleRequest(),
+  // Add your other handlers after Sentry.handleRequest()
 );
 ```
 

packages/astro/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentry/astro",
-  "version": "7.79.0",
+  "version": "7.80.0",
   "description": "Official Sentry SDK for Astro",
   "repository": "git://github.com/getsentry/sentry-javascript.git",
   "homepage": "https://github.com/getsentry/sentry-javascript/tree/master/packages/astro",
@@ -37,11 +37,11 @@
     "astro": "3.x"
   },
   "dependencies": {
-    "@sentry/browser": "7.79.0",
-    "@sentry/core": "7.79.0",
-    "@sentry/node": "7.79.0",
-    "@sentry/types": "7.79.0",
-    "@sentry/utils": "7.79.0",
+    "@sentry/browser": "7.80.0",
+    "@sentry/core": "7.80.0",
+    "@sentry/node": "7.80.0",
+    "@sentry/types": "7.80.0",
+    "@sentry/utils": "7.80.0",
     "@sentry/vite-plugin": "^2.8.0"
   },
   "devDependencies": {
@@ -74,5 +74,8 @@
   },
   "volta": {
     "extends": "../../package.json"
+  },
+  "astro": {
+    "external": true
   }
 }

packages/astro/src/server/meta.ts

@@ -0,0 +1,78 @@
+import { getDynamicSamplingContextFromClient } from '@sentry/core';
+import type { Hub, Span } from '@sentry/types';
+import {
+  dynamicSamplingContextToSentryBaggageHeader,
+  generateSentryTraceHeader,
+  logger,
+  TRACEPARENT_REGEXP,
+} from '@sentry/utils';
+
+/**
+ * Extracts the tracing data from the current span or from the client's scope
+ * (via transaction or propagation context) and renders the data to <meta> tags.
+ *
+ * This function creates two serialized <meta> tags:
+ * - `<meta name="sentry-trace" content="..."/>`
+ * - `<meta name="baggage" content="..."/>`
+ *
+ * TODO: Extract this later on and export it from the Core or Node SDK
+ *
+ * @param span the currently active span
+ * @param client the SDK's client
+ *
+ * @returns an object with the two serialized <meta> tags
+ */
+export function getTracingMetaTags(span: Span | undefined, hub: Hub): { sentryTrace: string; baggage?: string } {
+  const scope = hub.getScope();
+  const client = hub.getClient();
+  const { dsc, sampled, traceId } = scope.getPropagationContext();
+  const transaction = span?.transaction;
+
+  const sentryTrace = span ? span.toTraceparent() : generateSentryTraceHeader(traceId, undefined, sampled);
+
+  const dynamicSamplingContext = transaction
+    ? transaction.getDynamicSamplingContext()
+    : dsc
+    ? dsc
+    : client
+    ? getDynamicSamplingContextFromClient(traceId, client, scope)
+    : undefined;
+
+  const baggage = dynamicSamplingContextToSentryBaggageHeader(dynamicSamplingContext);
+
+  const isValidSentryTraceHeader = TRACEPARENT_REGEXP.test(sentryTrace);
+  if (!isValidSentryTraceHeader) {
+    logger.warn('Invalid sentry-trace data. Returning empty <meta name="sentry-trace"/> tag');
+  }
+
+  const validBaggage = isValidBaggageString(baggage);
+  if (!validBaggage) {
+    logger.warn('Invalid baggage data. Returning empty <meta name="baggage"/> tag');
+  }
+
+  return {
+    sentryTrace: `<meta name="sentry-trace" content="${isValidSentryTraceHeader ? sentryTrace : ''}"/>`,
+    baggage: baggage && `<meta name="baggage" content="${validBaggage ? baggage : ''}"/>`,
+  };
+}
+
+/**
+ * Tests string against baggage spec as defined in:
+ *
+ * - W3C Baggage grammar: https://www.w3.org/TR/baggage/#definition
+ * - RFC7230 token definition: https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+ *
+ * exported for testing
+ */
+export function isValidBaggageString(baggage?: string): boolean {
+  if (!baggage || !baggage.length) {
+    return false;
+  }
+  const keyRegex = "[-!#$%&'*+.^_`|~A-Za-z0-9]+";
+  const valueRegex = '[!#-+-./0-9:<=>?@A-Z\\[\\]a-z{-}]+';
+  const spaces = '\\s*';
+  const baggageRegex = new RegExp(
+    `^${keyRegex}${spaces}=${spaces}${valueRegex}(${spaces},${spaces}${keyRegex}${spaces}=${spaces}${valueRegex})*$`,
+  );
+  return baggageRegex.test(baggage);
+}

packages/astro/src/server/middleware.ts

@@ -1,20 +1,27 @@
-import { captureException, configureScope, startSpan } from '@sentry/node';
+import { captureException, configureScope, getCurrentHub, startSpan } from '@sentry/node';
+import type { Hub, Span } from '@sentry/types';
 import { addExceptionMechanism, objectify, stripUrlQueryAndFragment, tracingContextFromHeaders } from '@sentry/utils';
 import type { APIContext, MiddlewareResponseHandler } from 'astro';
 
+import { getTracingMetaTags } from './meta';
+
 type MiddlewareOptions = {
   /**
    * If true, the client IP will be attached to the event by calling `setUser`.
-   * Only set this to `true` if you're fine with collecting potentially personally identifiable information (PII).
    *
-   * This will only work if your app is configured for SSR
+   * Important: Only enable this option if your Astro app is configured for (hybrid) SSR
+   * via the `output: 'server' | 'hybrid'` option in your `astro.config.mjs` file.
+   * Otherwise, Astro will throw an error when starting the server.
+   *
+   * Only set this to `true` if you're fine with collecting potentially personally identifiable information (PII).
    *
    * @default false (recommended)
    */
   trackClientIp?: boolean;
 
   /**
    * If true, the headers from the request will be attached to the event by calling `setExtra`.
+   *
    * Only set this to `true` if you're fine with collecting potentially personally identifiable information (PII).
    *
    * @default false (recommended)
@@ -93,11 +100,42 @@ export const handleRequest: (options?: MiddlewareOptions) => MiddlewareResponseH
           },
         },
         async span => {
-          const res = await next();
-          if (span && res.status) {
-            span.setHttpStatus(res.status);
+          const originalResponse = await next();
+
+          if (span && originalResponse.status) {
+            span.setHttpStatus(originalResponse.status);
+          }
+
+          const hub = getCurrentHub();
+          const client = hub.getClient();
+          const contentType = originalResponse.headers.get('content-type');
+
+          const isPageloadRequest = contentType && contentType.startsWith('text/html');
+          if (!isPageloadRequest || !client) {
+            return originalResponse;
           }
-          return res;
+
+          // Type case necessary b/c the body's ReadableStream type doesn't include
+          // the async iterator that is actually available in Node
+          // We later on use the async iterator to read the body chunks
+          // see https://github.com/microsoft/TypeScript/issues/39051
+          const originalBody = originalResponse.body as NodeJS.ReadableStream | null;
+          if (!originalBody) {
+            return originalResponse;
+          }
+
+          const newResponseStream = new ReadableStream({
+            start: async controller => {
+              for await (const chunk of originalBody) {
+                const html = typeof chunk === 'string' ? chunk : new TextDecoder().decode(chunk);
+                const modifiedHtml = addMetaTagToHead(html, hub, span);
+                controller.enqueue(new TextEncoder().encode(modifiedHtml));
+              }
+              controller.close();
+            },
+          });
+
+          return new Response(newResponseStream, originalResponse);
         },
       );
       return res;
@@ -109,6 +147,20 @@ export const handleRequest: (options?: MiddlewareOptions) => MiddlewareResponseH
   };
 };
 
+/**
+ * This function optimistically assumes that the HTML coming in chunks will not be split
+ * within the <head> tag. If this still happens, we simply won't replace anything.
+ */
+function addMetaTagToHead(htmlChunk: string, hub: Hub, span?: Span): string {
+  if (typeof htmlChunk !== 'string') {
+    return htmlChunk;
+  }
+
+  const { sentryTrace, baggage } = getTracingMetaTags(span, hub);
+  const content = `<head>\n${sentryTrace}\n${baggage}\n`;
+  return htmlChunk.replace('<head>', content);
+}
+
 /**
  * Interpolates the route from the URL and the passed params.
  * Best we can do to get a route name instead of a raw URL.