Add "token" variables to Sentry's EventScrubber denylist #523
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅ ✅ All tests successful. No failed tests found 📢 Thoughts on this report? Let us know! |
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found Additional details and impacted files@@ Coverage Diff @@
## main #523 +/- ##
==========================================
- Coverage 91.45% 91.45% -0.01%
==========================================
Files 599 599
Lines 16212 16211 -1
==========================================
- Hits 14826 14825 -1
Misses 1386 1386
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found @@ Coverage Diff @@
## main #523 +/- ##
==========================================
- Coverage 91.45% 91.45% -0.01%
==========================================
Files 599 599
Lines 16212 16211 -1
==========================================
- Hits 14826 14825 -1
Misses 1386 1386
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found Additional details and impacted files@@ Coverage Diff @@
## main #523 +/- ##
=====================================
Coverage 95.76 95.76
=====================================
Files 774 774
Lines 17068 17067 -1
=====================================
- Hits 16345 16344 -1
Misses 723 723
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
codecov/settings_base.py
Outdated
| @@ -533,10 +531,13 @@ | |||
|
|
|||
| SENTRY_ENV = os.environ.get("CODECOV_ENV", False) | |||
| SENTRY_DSN = os.environ.get("SERVICES__SENTRY__SERVER_DSN", None) | |||
| sentry_deny_list = DEFAULT_DENYLIST + ["_headers", "token_to_use"] | |||
There was a problem hiding this comment.
[very nit] SENTRY_DENY_LIST for consistency
michelletran-codecov
force-pushed
the
sentry_token_leak
branch
from
170aac8
to
2da0162
Compare
This change will filter out the `_header` and `token_to_use` variables in a stacktrace frame so that the event doesn't push PII to Sentry.
michelletran-codecov
force-pushed
the
sentry_token_leak
branch
from
2da0162
to
e57388b
Compare
Purpose/Motivation
We want to ensure that
tokens don't get sent to Sentry when errors occur.Links to relevant tickets
https://github.com/codecov/internal-issues/issues/419
What does this PR do?
This change will filter out the
_headerandtoken_to_usevariables in a stacktrace frame so that the event doesn't push PII to Sentry. I'm currently filtering the whole_header, rather than just theauthorizationinside the_header. To enable that, I would need to enablerecursivein theEventScrubber, which might have potential performance implications.Notes to Reviewer
We might want to actually store the
denylistin thesharedrepo (so that we can reuse this same list inworker).Legal Boilerplate
Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. In 2022 this entity acquired Codecov and as result Sentry is going to need some rights from me in order to utilize my contributions in this PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.