feat(node) add max lineno and colno limits (#12514)

We want to have some safeguards in place to avoid reading minified files
or large bundled files as we could incur a large processing time cost.
The output of such files is likely to be less useful anyways, so
contextlines would be low value

Author: JonasBa

packages/node/src/integrations/contextlines.ts

@@ -10,6 +10,11 @@ const LRU_FILE_CONTENTS_CACHE = new LRUMap<string, Record<number, string>>(10);
 const LRU_FILE_CONTENTS_FS_READ_FAILED = new LRUMap<string, 1>(20);
 const DEFAULT_LINES_OF_CONTEXT = 7;
 const INTEGRATION_NAME = 'ContextLines';
+// Determines the upper bound of lineno/colno that we will attempt to read. Large colno values are likely to be
+// minified code while large lineno values are likely to be bundled code.
+// Exported for testing purposes.
+export const MAX_CONTEXTLINES_COLNO: number = 1000;
+export const MAX_CONTEXTLINES_LINENO: number = 10000;
 
 interface ContextLinesOptions {
   /**
@@ -58,6 +63,15 @@ function shouldSkipContextLinesForFile(path: string): boolean {
   if (path.startsWith('data:')) return true;
   return false;
 }
+
+/**
+ * Determines if we should skip contextlines based off the max lineno and colno values.
+ */
+function shouldSkipContextLinesForFrame(frame: StackFrame): boolean {
+  if (frame.lineno !== undefined && frame.lineno > MAX_CONTEXTLINES_LINENO) return true;
+  if (frame.colno !== undefined && frame.colno > MAX_CONTEXTLINES_COLNO) return true;
+  return false;
+}
 /**
  * Checks if we have all the contents that we need in the cache.
  */
@@ -216,7 +230,8 @@ async function addSourceContext(event: Event, contextLines: number): Promise<Eve
           !frame ||
           typeof filename !== 'string' ||
           typeof frame.lineno !== 'number' ||
-          shouldSkipContextLinesForFile(filename)
+          shouldSkipContextLinesForFile(filename) ||
+          shouldSkipContextLinesForFrame(frame)
         ) {
           continue;
         }

packages/node/test/integrations/contextlines.test.ts

@@ -2,7 +2,12 @@ import * as fs from 'node:fs';
 import type { StackFrame } from '@sentry/types';
 import { parseStackFrames } from '@sentry/utils';
 
-import { _contextLinesIntegration, resetFileContentCache } from '../../src/integrations/contextlines';
+import {
+  MAX_CONTEXTLINES_COLNO,
+  MAX_CONTEXTLINES_LINENO,
+  _contextLinesIntegration,
+  resetFileContentCache,
+} from '../../src/integrations/contextlines';
 import { defaultStackParser } from '../../src/sdk/api';
 import { getError } from '../helpers/error';
 
@@ -22,6 +27,40 @@ describe('ContextLines', () => {
     jest.clearAllMocks();
   });
 
+  describe('limits', () => {
+    test(`colno above ${MAX_CONTEXTLINES_COLNO}`, async () => {
+      expect.assertions(1);
+      const frames: StackFrame[] = [
+        {
+          colno: MAX_CONTEXTLINES_COLNO + 1,
+          filename: 'file:///var/task/index.js',
+          lineno: 1,
+          function: 'fxn1',
+        },
+      ];
+
+      const readStreamSpy = jest.spyOn(fs, 'createReadStream');
+      await addContext(frames);
+      expect(readStreamSpy).not.toHaveBeenCalled();
+    });
+
+    test(`lineno above ${MAX_CONTEXTLINES_LINENO}`, async () => {
+      expect.assertions(1);
+      const frames: StackFrame[] = [
+        {
+          colno: 1,
+          filename: 'file:///var/task/index.js',
+          lineno: MAX_CONTEXTLINES_LINENO + 1,
+          function: 'fxn1',
+        },
+      ];
+
+      const readStreamSpy = jest.spyOn(fs, 'createReadStream');
+      await addContext(frames);
+      expect(readStreamSpy).not.toHaveBeenCalled();
+    });
+  });
+
   describe('lru file cache', () => {
     test('parseStack when file does not exist', async () => {
       expect.assertions(4);