Disabling source maps fetching instance-wide

[mikhno-s]

Problem Statement

We have multiple-organisation setup and we need to have a way to disable source map fetching sentry-wide.

Solution Brainstorm

Add a configuration parameter which disable source map fetching.

[hubertdeng123]

Hey there, we should actually have this option as per our docs

By default, if Sentry can't find the uploaded files it needs, it will attempt to download them from the URLs in the stacktrace. To disable this, turn off "Enable JavaScript source fetching" in either your organization's "Security & Privacy" settings or your project's general settings.

[mikhno-s]

I ask about "hardcoded" functionality. Because fetching source code can be a cause of huge SSRF vulnerability and I want to remove the possibility to enable this function for managers and owners.

And a bit side question - what service in sentry-architecture performs those requests for source map fetching?

[hubertdeng123]

Got it, so if I understand this correctly you'd want the sourcemaps completely disabled for everyone during the setup of your self-hosted instance? This request will have to go on our backlog then.

Our cron workers and web workers handle the source map calculation.

[mikhno-s]

So another way how to prevent such problems - I can put services, that are run via sentry run cron and sentry run worker to DMZ, right?

[hubertdeng123]

By preventing such problems, are you referring to the security issues that might happen?

[mikhno-s]

Yes, potentially SSRF

[hubertdeng123]

That sounds about right to me, although I'm not entirely certain