GHSA-7cjh-xx4r-qh3f: sentry-android unmasked sensitive data in Android Session Replays for users of Jetpack Compose 1.8+

The analysis of the provided patch commit 8bfa9cceab402e58f6723a0694158d27e8a41a56 points to a single root cause for the vulnerability: the incorrect retrieval of semantic information from Jetpack Compose UI nodes, leading to a failure in the data masking logic for session replays.

The primary file changed is sentry-android-replay/src/main/java/io/sentry/android/replay/viewhierarchy/ComposeViewHierarchyNode.kt. Within this file, the function fromView is the central point of logic for converting Compose nodes into a serializable view hierarchy. The original implementation directly accessed node.collapsedSemantics to determine properties of the UI element, which was the basis for the masking decision.

However, changes in Jetpack Compose version 1.8.0 and newer made this approach unreliable. The patch introduces a new function, retrieveSemanticsConfiguration, which uses reflection to access the correct semantic information on newer Compose versions while maintaining backward compatibility. Crucially, the call to this new function within fromView is wrapped in a try-catch block. If any error occurs during semantic retrieval, the code now defaults to masking the entire node, acting as a fail-safe.

This indicates that the fromView function was the source of the vulnerability. It was responsible for gathering the necessary data for the masking decision, and its failure to do so correctly on newer platforms is what led to the sensitive data exposure. The changes to shouldMask are a consequence of the fix in fromView, refactoring it to use the correctly retrieved SemanticsConfiguration object instead of directly accessing the LayoutNode.

The new test case, when retrieving the semantics fails, a node should be masked, further confirms this analysis by simulating a failure in retrieveSemanticsConfiguration and asserting that fromView correctly decides to mask the node, proving the effectiveness of the fix.