New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(node): Redact URL authority only in breadcrumbs and spans #7740
Conversation
@@ -48,7 +48,8 @@ export function extractUrl(requestOptions: RequestOptions): string { | |||
!requestOptions.port || requestOptions.port === 80 || requestOptions.port === 443 ? '' : `:${requestOptions.port}`; | |||
// do not include search or hash in span descriptions, per https://develop.sentry.dev/sdk/data-handling/#structuring-data | |||
const path = requestOptions.pathname || '/'; | |||
const authority = requestOptions.auth ? `${requestOptions.auth}@` : ''; | |||
// // always filter authority, see https://develop.sentry.dev/sdk/data-handling/#structuring-data | |||
const authority = requestOptions.auth ? '[Filtered]:[Filtered]@' : ''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This always adds a [Filtered]
for both, username and password, even if only one of the two is present. We can refactor this to only set the respective one but I'd argue it's safer from a PII/user identification view to just always show [Filtered]:[Filtered]@
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After discussing this internally, we went with a more fine-grained redaction (see these test cases). We can likely reuse this function on the browser side later on
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch!
Co-authored-by: Luca Forstner <luca.forstner@sentry.io>
In #7667 we missed that our
urlToOptions
helper function is actually called to normalize request options that are then passed to the actual http client. Meaning, we shouldn't have redacted the authority in this function but at a later time when we extract the sanitized version (extractUrl
). This PR changes the redaction location accordingly and hence fixes requests with authority not being sent properly.closes #7724