Enabling the ANR feature caused the debug main process function to become inoperative

[PayneFuRC]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Electron SDK Version

4.24.0

Electron Version

27.2.0

What platform are you using?

None

Link to Sentry event

No response

Steps to Reproduce

1. enable sentry main process ANR detection
2. kill -sigusr1 mainProcessID
3. open chrome://inspect in chrome

Expected Result

There's a remote target

Actual Result

no remote target

[PayneFuRC]

After enabling the Sentry ANR feature, it automatically activates the debugger, which listens on a local port. It is likely that this is the cause.

I have a question: With the debugger opened by default, if someone knows this port number, they could remotely control the app. Isn't that unsafe?"

[Lms24]

Hi @PayneFuRC thanks for writing in and apologies for the late reply! Unfortunately this seems to have slipped through since we've been busy with releasing version 8.0.0 of the JS SDKs.

@timfish would you mind taking a look at this when you have some time?

[timfish]

With the debugger opened by default, if someone knows this port number, they could remotely control the app. Isn't that unsafe?

The ANR feature in the main process uses the Node debugger to detect event loop blocking from a worker thread. I'll add to the docs to make this more clear.

127.0.0.1 is the localhost port. This means it's only accessible from the local machine.

This does mean that software running on the local machine can potentially open a debug connection to your app. Depending on the nature of your app this may be a security concern. Note that unless you set Electron Fuses, your app can be started with --inspect to expose the debugger.

[PayneFuRC]

ok, got it. Thanks.