Skip to content

fix(android): Mask auth token in sentry.gradle upload-task log#6057

Merged
antonis merged 3 commits intomainfrom
fix/gradle-mask-auth-token
Apr 28, 2026
Merged

fix(android): Mask auth token in sentry.gradle upload-task log#6057
antonis merged 3 commits intomainfrom
fix/gradle-mask-auth-token

Conversation

@antonis
Copy link
Copy Markdown
Contributor

@antonis antonis commented Apr 28, 2026
edited
Loading

Type of change

  • Bugfix (non-breaking change which fixes an issue)

Description

The sentry-react-native upload task in sentry.gradle was logging its full sentry-cli argument list at the Gradle lifecycle log level (default verbosity). When flavorAware is enabled, those args include the auth token. Replace the token's value with *** in the logged copy; the actual command-line invocation is unchanged.

The masking is value-based via args.collect { it == sentryAuthToken ? "***" : it }, so the token is redacted wherever it appears in the args list. A short comment notes that loggedArgs must not be passed to the CLI.

Motivation and Context

Internal security review.

How did you test it?

  • Manually reviewed the diff and the surrounding flag layout (--url, --bundle, --sourcemap, --org, --project, --release, --dist, extraArgs) — only --auth-token carries a secret.
  • The repo has no Gradle/Groovy unit-test harness, so no automated test added. Verifiable by running a flavor-aware release build with a real token and grepping the build log: only *** appears next to --auth-token.

Checklist

  • I added tests to verify changes
  • No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled
  • I updated the docs if needed.
  • I updated the wizard if needed.
  • All tests passing
  • No breaking changes

Next steps

None.

@antonis @claude
fix(android): Mask auth token in sentry.gradle upload-task log
7f2ed2b 
The upload task logged its full sentry-cli argument list at the gradle
lifecycle log level, which is the default verbosity. When flavorAware
is enabled the args include `--auth-token <token>`, exposing it in CI
build logs and developer terminal scrollback. Replace the token value
with `***` in the logged copy of the args; the actual command-line
invocation is unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026
edited
Loading

Fails
🚫 Pull request is not ready for merge, please add the "ready-to-merge" label to the pull request

Generated by 🚫 dangerJS against 94107f2

antonis
antonis commented Apr 28, 2026
View reviewed changes
Comment thread CHANGELOG.md Outdated
@antonis antonis marked this pull request as ready for review April 28, 2026 09:54
@antonis antonis enabled auto-merge (squash) April 28, 2026 12:10
@antonis antonis merged commit 1b1809a into main Apr 28, 2026
48 of 62 checks passed
@antonis antonis deleted the fix/gradle-mask-auth-token branch April 28, 2026 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alwx alwx alwx approved these changes

@lucas-zimerman lucas-zimerman Awaiting requested review from lucas-zimerman lucas-zimerman is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@antonis @alwx