Is sanitizeKeys supported in the new JavaScript SDK?

[aguynamedben]

The sanitizeKeys option from Raven isn't documented in the new JavaScript SDK docs. Is that feature supported? From searching the code it looks like sanitizeKeys is only in Raven.

Is the recommendation to just use the beforeSend hook to do my own sanitation?

[aguynamedben]

I see this page now... looks like it says to use beforeSend. 👍

[aguynamedben]

If anybody is looking to do this maybe this will help. I noticed that Sentry breadcrumbs can tend to upload sensitive data from XHR requests and console log messages. This is how I init Sentry...

Note: This does not clean up data in extras, tags, etc. Just breadcrumbs. But you could apply the same concept using Sentry's beforeSend.

setupSentry.js

Note: Depends on redact-object

import redact from 'redact-object';
import { scrubUrlParams, sensitiveKeys } from '../jsHelpers';

//...

function startSentry() {
  Sentry.init({
    debug: isDev,
    dsn: process.env.SENTRY_DSN,
    release: `${process.env.SENTRY_PROJECT}-${app.getVersion()}`,
    onFatalError: () => {
      process.exit(1);
    },
    beforeBreadcrumb(breadcrumb) {
      // Examples:
      // category: electron, type: ui
      // category: console, type: undefined (remove access_token from data)
      // category: xhr, type: http (remove access_token from URL)
      // log.debug(`Breadcrumb - ${breadcrumb.category} - ${breadcrumb.type}`);

      // console breadcrumbs from redux-logger may contain Redux state and
      // therefore access tokens or refresh tokens. Redact tokens from Sentry
      // breadcrumbs.
      if (breadcrumb.category === 'console') {
        breadcrumb.data = redact(breadcrumb.data, sensitiveKeys);
        // log.info(`New console breadcrumb data`, breadcrumb.data);
      }

      // xhr breadcrumbs may contain URLs which may contain access tokens or
      // refresh tokens. Redact tokens from URLs.
      if (breadcrumb.category === 'xhr') {
        breadcrumb.data.url = scrubUrlParams(breadcrumb.data.url);
        // log.info(`New url breadcrumb data`, breadcrumb.data);
      }

      return breadcrumb;
    },
  });
}

jsHelpers.js

Note: Depends on url from Node.js

/**
 * Scrub URL params into x's.
 *
 * i.e. https://foo.com?password=sekrit -> https://foo.com?password=scrubbed
 *
 * @params {string} urlString - The URL (including querystring) you'd like
 * params scrubbed on.
 * @params {string[]} paramsToScrub - An array of string representing the
 * querystrings you'd like to scrub from the URL.
 * @returns {string} The URL with values for the paramsToScrub converted to
 * 'scrubbed'.
 */

export const sensitiveKeys = [
  'key',
  'token', 'secret',
  'accessToken', 'access_token', 'access-token',
  'refreshToken', 'refresh_token', 'refresh-token',
  'code', 'authorization_code',
  'password',
];

export function scrubUrlParams(urlString, paramsToScrub = sensitiveKeys) {
  const parts = url.parse(urlString, true);
  const params = parts.query;
  for (const param of Object.keys(params)) {
    if (paramsToScrub.includes(param)) {
      params[param] = 'REDACTED';
    }
  }
  parts.query = params;

  // Random extra step: https://stackoverflow.com/a/7517673/3516664
  delete parts.search;

  return url.format(parts);
}

[HazAT]

@aguynamedben Cool example, thank you very much for this.
We will soon release a new way of how to strip sensitive data in SDKs, stay tuned.

[aguynamedben]

Nice! Yeah it makes sense build it in.

[dhessler]

@aguynamedben Cool example, thank you very much for this.
We will soon release a new way of how to strip sensitive data in SDKs, stay tuned.

@HazAT any updates/timeline on scrubbing sensitive data natively for Sentry?