Limit private data being sent #49

Closed
moll opened this Issue Aug 31, 2013 · 3 comments

Comments

Projects
None yet
3 participants

moll commented Aug 31, 2013

Hello,

Raven sends awfully lot of requests' private data (and thereby private data of people) to Sentry, which frankly it mustn't.

Fortunately reimplementing the Connect middleware is not too difficult, but there are bits of data gathering that are not possible to overwrite without changing the source. LINES_OF_CONTEXT that grabs the contents of the source files is one of those bits. If anything, that should be set as a property in some Raven object that would make it possible to disable source sending entirely.

Owner

mattrobenolt commented Aug 31, 2013

So I agree that there can be improvements to limit the user data that's being sent to Sentry. That is something that at least the main raven-python does.

As far as the LINES_OF_CONTEXT, I disagree. That's something that's pretty core to them all. What is your concern about sending the context lines?

moll commented Aug 31, 2013

Well, I don't want any source code transmitted off the server. File paths, fine, but no contents.

moll referenced this issue in getsentry/raven-ruby Sep 13, 2013

Closed

Scrub code lines from backtrace/Sentry event #130

Member

LewisJEllis commented Sep 16, 2016

At the moment this is possible via the dataCallback config option documented here. Specifically look at modifying or removing data.exception[0].stacktrace, which is an object with a frames property which is an array of frame objects that each look something like:

{
  filename: '/Users/lewis/dev/express-demo/index.js',
  lineno: 48,
  function: 'null.<anonymous>',
  in_app: true,
  module: 'index',
  pre_context: ['previous', 'lines', 'of', 'code'],
  context_line: '  throw new Error(\'oh no an error!\');',
  post_context: ['following', 'lines', 'of', 'code']
}

I'll add an item to the roadmap to create a more easily configurable filter to do this like Raven::Processor::RemoveStacktrace from raven-ruby.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment