Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http.request.cookies is redacted but Cookie header is not #1402

Closed
fisherking opened this issue Aug 8, 2023 · 5 comments · Fixed by #1405
Closed

http.request.cookies is redacted but Cookie header is not #1402

fisherking opened this issue Aug 8, 2023 · 5 comments · Fixed by #1405
Labels
agent-ruby

Comments

@fisherking
Copy link

Describe the bug

From the spec:

Captured request and response headers, cookies, and form bodies MUST be sanitised (i.e. secrets removed) according to data sanitization rules.

However, this only happens for the http.request.cookies property, not the Cookie header.

It's possible to mitigate the issue just by extending ELASTIC_APM_SANITIZE_FIELD_NAMES with cookie wildcard, but that's different from the default agent behaviour

Steps to reproduce

It is enough just to inspect any transaction containing Cookie header with session, or any other sensitive key

Expected behaviour

One of the following behaviours needs to be implemented:

  • removing the Cookie header after adding the cookie property (like it's done in java agent - link)
  • sanitizing Cookie header (like it's done in nodejs agent)

Environment

  • OS: linux
  • Ruby version: 3.1.2
  • Framework and version: 6.1.7.3
  • APM Server version: 7.16.3
  • Agent version: 4.6.2
@estolfo estolfo mentioned this issue Aug 15, 2023
Merged
@estolfo
Copy link
Contributor

estolfo commented Aug 15, 2023

Hi @fisherking thanks for opening this issue. Would you mind testing the PR opened here and letting me know if that's a sufficient solution? #1405
As a workaround, you could also set the sanitize field names config value to include "cookie" so the cookie in the header will be redacted.

@radeno
Copy link

radeno commented Oct 6, 2023

I have opposite experience. everything in http.request.headers.Cookie is filtered, but I see everything parsed in http.request.cookies.*

My configuration part looks like this:

sanitize_field_names: "*ookie*,*uth*tion"

@estolfo
Copy link
Contributor

estolfo commented Oct 6, 2023

Hi @radeno have you looked at the PR #1405? Does that help your situation?

@radeno
Copy link

radeno commented Oct 6, 2023
edited
Loading

I tried that branch, but i still see parsed cookies. Raw cookie header is filtered

@gpacuilla-st
Copy link

gpacuilla-st commented Nov 21, 2023
edited
Loading

We're having the same issue as described in OP - with ruby agent 4.7.0.

Using the default settings, the http.request.cookies.CSRF-TOKEN (for example) is [FILTERED] but the http.request.headers.Cookie still contains the complete raw value.

image

For the record, this is what I set the envvar to filter the http.request.headers.Cookie values:
defaults from https://www.elastic.co/guide/en/apm/agent/go/current/configuration.html#config-sanitize-field-names
plus *Cookie*

ELASTIC_APM_SANITIZE_FIELD_NAMES='password,passwd,pwd,secret,*key,*token*,*session*,*credit*,*card*,*auth*,set-cookie,*principal*,*Cookie*'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
agent-ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Skip capturing cookie header when it's set separately estolfo/apm-agent-ruby
4 participants
@radeno @fisherking @estolfo @gpacuilla-st