search

getsentry / sentry-dart-plugin

A Dart Build Plugin that uploads debug symbols for Android, iOS/macOS and source maps for Web to Sentry via sentry-cli
MIT License
68 stars 28 forks source link

Vulnerability of keeping sentry.properties file in the app bundle #280

Closed nrajput05 closed 4 days ago

nrajput05 commented 1 week ago

Since I am placing sentry.properties file in the root of flutter project and it will be a part of my build how vulnerable is it to keep the auth_token in it?

buenaflor commented 1 week ago

alternatively you can also use --sentry-defines for auth token in combination with sentry.properties or pubspec.yaml, this way you don't have to keep the auth token in the properties file

You can also override or extend your file based configuration by passing the parameters as arguments in the format --sentry-define=<KEY>=<VALUE>. They take precedence over your file based parameters, but not over the alternative environment variables.

dart run sentry_dart_plugin --sentry-define=auth_token=my_auth_token
nrajput05 commented 6 days ago

I could use --sentry-defines but it will add another layer of reading this value from a source either on local machine or when this is running on the CI/CD.

My question was more in terms of best practices for this file. For example, when one implements Google Analytics via Firebase, the GoogleService-Info.plist and google-services.json files are harmless even if someone gets their hands on these.

vaind commented 4 days ago

Since I am placing sentry.properties file in the root of flutter project and it will be a part of my build how vulnerable is it to keep the auth_token in it?

When you create the token, you're assigning permissions to it. Then when you share it (by writing it in a file) and who you share it with, you have to assume they now have the same permissions.

Normally in shared/non-private projects, you'd use environment variables for tokens, namely SENTRY_AUTH_TOKEN in this case.

nrajput05 commented 4 days ago

Since I am placing sentry.properties file in the root of flutter project and it will be a part of my build how vulnerable is it to keep the auth_token in it?

When you create the token, you're assigning permissions to it. Then when you share it (by writing it in a file) and who you share it with, you have to assume they now have the same permissions.

Normally in shared/non-private projects, you'd use environment variables for tokens, namely SENTRY_AUTH_TOKEN in this case.

Yes that's fine by me if any colleague working with my code is looking at the sentry.properties file. My ask what happens was after deployment to web/iOS/android. Is this .properties file visible when some outside get their hands on the ipa/apk/web-assets and they somehow extract the minified/obfuscated code?

buenaflor commented 4 days ago

I'll be closing this as this is not Sentry related (properties files are not specific to Sentry)

Generally speaking I wouldn't recommend exposing any sensitive data in a file that is shipped with your app.