feat(pii): Base SpanData PII on relay-conventions by loewenheim · Pull Request #5997 · getsentry/relay

loewenheim · 2026-05-13T13:19:04Z

This replaces the default PII value on SpanData with a function that looks up a field's name (as defined by the metastructure annotation) in sentry-conventions. If the name isn't found, the function returns Pii::True to be safe.

It also updates sentry-conventions for getsentry/sentry-conventions@523f1f0.

Additionally, it fixes a very annoying edge case bug in PII string processing: the logic assumes that a null byte can be freely inserted into strings to mark already removed chunks, but some PII regexes do match null bytes. I've corrected one such regex that otherwise would cause a test failure.

Closes INGEST-919.

This replaces the default PII value on `SpanData` with a function that looks up a field's name (as defined by the `metastructure` annotation) in `sentry-conventions`. If the name isn't found, the function returns `Pii::True` to be safe.

linear-code · 2026-05-13T13:19:11Z

INGEST-919

loewenheim · 2026-05-13T13:20:29Z

        )
        (
-            [^/\\\r\n]+
+            [^/\\\r\n\x00]+


If this regex can match a null byte it causes problems with redactions.

loewenheim · 2026-05-13T13:21:31Z

            "url.full": {
                "type": "string",
-                "value": "https://www.service.io/users/01234-qwerty/settings/98765-adfghj",
+                "value": "https://www.service.io/users/[user]/settings/98765-adfghj",


This attribute has become pii: "true" in the current conventions version.

loewenheim · 2026-05-13T13:21:52Z

            "sentry.description": {
                "type": "string",
-                "value": "GET https://www.service.io/users/01234-qwerty/settings/98765-adfghj",
+                "value": "GET https://www.service.io/users/[user]/settings/98765-adfghj",


This attribute is filled from url.full, hence inherits the redaction.

Dav1dde

This is a change with potentially big impact, are you confident we have sufficient test coverage already?

loewenheim · 2026-05-13T14:22:56Z

-        match self.pii() {
-            Pii::True => Some(Cow::Borrowed(&PII_TRUE_FIELD_ATTRS)),
-            Pii::False => None,
-            Pii::Maybe => Some(Cow::Borrowed(&PII_MAYBE_FIELD_ATTRS)),
+        match self.attrs().pii {
+            PiiMode::Static(Pii::True) => Some(Cow::Borrowed(&PII_TRUE_FIELD_ATTRS)),
+            PiiMode::Static(Pii::False) => None,
+            PiiMode::Static(Pii::Maybe) => Some(Cow::Borrowed(&PII_MAYBE_FIELD_ATTRS)),
+            PiiMode::Dynamic(f) => Some(Cow::Owned(DEFAULT_FIELD_ATTRS.pii_dynamic(f))),


Previously, when deriving the attributes for recursion, we would eagerly resolve a dynamic PII value function into a static value. Now we instead pass the dynamic function through.

loewenheim · 2026-05-13T14:41:28Z

Oh, and to actually answer this:

This is a change with potentially big impact, are you confident we have sufficient test coverage already?

No, not necessarily 😞. I would probably extend the test_spandata_conventions test with more cases.

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 7fa8c6d. Configure here.}

cursor · 2026-05-13T16:17:43Z

+            PiiMode::Static(Pii::True) => Some(Cow::Borrowed(&PII_TRUE_FIELD_ATTRS)),
+            PiiMode::Static(Pii::False) => None,
+            PiiMode::Static(Pii::Maybe) => Some(Cow::Borrowed(&PII_MAYBE_FIELD_ATTRS)),
+            PiiMode::Dynamic(f) => Some(Cow::Owned(DEFAULT_FIELD_ATTRS.pii_dynamic(f))),


Dynamic PII in inner_attrs over-scrubs nested field values

Medium Severity

The PiiMode::Dynamic(f) arm in inner_attrs passes span_data_pii_from_conventions through to children of complex-typed fields (e.g., gen_ai.input.messages of type Annotated<Value>). When such a field contains a nested object, each sub-key (like "role" or "content") is looked up in conventions via state.keys().next(). Sub-keys not found in conventions get Pii::True, whereas previously (with pii = "maybe" on SpanData) they inherited Pii::Maybe. This upgrades scrubbing from "only specific path selectors" to "generic selectors like $string match," causing unintended data removal in nested structures.

Additional Locations (1)

relay-event-schema/src/protocol/span.rs#L460-L475

^{Reviewed by Cursor Bugbot for commit 7fa8c6d. Configure here.}

True in principle, but not really a concern.

loewenheim · 2026-05-19T10:22:29Z

I do believe this is sufficiently tested now. I've also looked over conventions again and found no egregious cases of PII being misconfigured.

loewenheim added 2 commits May 13, 2026 15:14

feat(pii): Base SpanData PII on relay-conventions

eea1bbf

This replaces the default PII value on `SpanData` with a function that looks up a field's name (as defined by the `metastructure` annotation) in `sentry-conventions`. If the name isn't found, the function returns `Pii::True` to be safe.

Fix bug and test

0e8be5e

loewenheim requested a review from a team as a code owner May 13, 2026 13:19

loewenheim self-assigned this May 13, 2026

loewenheim commented May 13, 2026

View reviewed changes

Changelog

55ab550

Dav1dde reviewed May 13, 2026

View reviewed changes

Comment thread tests/integration/test_spansv2.py

Comment thread relay-event-schema/src/protocol/span.rs

loewenheim commented May 13, 2026

View reviewed changes

Comment thread CHANGELOG.md Outdated

sentry Bot reviewed May 13, 2026

View reviewed changes

Comment thread relay-event-schema/src/protocol/span.rs

loewenheim added 2 commits May 13, 2026 16:19

Fix state PII inheritance

0bbd1e3

Fix changelog

e48ff37

loewenheim commented May 13, 2026

View reviewed changes

cursor Bot reviewed May 13, 2026

View reviewed changes

Comment thread relay-event-schema/src/protocol/span.rs

loewenheim added 2 commits May 13, 2026 17:26

Expand test

677e075

ref test

1b71ccb

cursor Bot reviewed May 13, 2026

View reviewed changes

Comment thread relay-event-schema/src/protocol/span.rs

Manually set PII for profile_id

7fa8c6d

cursor Bot reviewed May 13, 2026

View reviewed changes

loewenheim requested a review from Dav1dde May 19, 2026 10:21

Dav1dde approved these changes May 19, 2026

View reviewed changes

Comment thread CHANGELOG.md Outdated

loewenheim added 2 commits May 19, 2026 13:21

Merge branch 'master' into sebastian/span-data-conventions

d8d48b6

Fix changelog

f0ef69f

loewenheim enabled auto-merge May 19, 2026 11:24

loewenheim added this pull request to the merge queue May 19, 2026

Merged via the queue into master with commit 60b66c8 May 19, 2026
34 checks passed

loewenheim deleted the sebastian/span-data-conventions branch May 19, 2026 12:01

Conversation

loewenheim commented May 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

linear-code Bot commented May 13, 2026

Uh oh!

loewenheim May 13, 2026

Choose a reason for hiding this comment

Uh oh!

loewenheim May 13, 2026

Choose a reason for hiding this comment

Uh oh!

loewenheim May 13, 2026

Choose a reason for hiding this comment

Uh oh!

Dav1dde left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

loewenheim May 13, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

loewenheim commented May 13, 2026

Uh oh!

Uh oh!

cursor Bot left a comment

Choose a reason for hiding this comment

Uh oh!

cursor Bot May 13, 2026

Choose a reason for hiding this comment

Dynamic PII in inner_attrs over-scrubs nested field values

Uh oh!

loewenheim May 18, 2026

Choose a reason for hiding this comment

Uh oh!

loewenheim commented May 19, 2026

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

loewenheim commented May 13, 2026 •

edited

Loading

Dynamic PII in `inner_attrs` over-scrubs nested field values