Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scrub sensitive query param values from Replay URLs #49495

Closed
cielt opened this issue May 19, 2023 · 4 comments · Fixed by getsentry/relay#2143
Closed

Scrub sensitive query param values from Replay URLs #49495

cielt opened this issue May 19, 2023 · 4 comments · Fixed by getsentry/relay#2143
Assignees
@cmanallen
Labels
Product Area: Replays

Comments

@cielt
Copy link

cielt commented May 19, 2023

Problem Statement

When Replays are captured and associated with a navigation event (by URL), we see in some cases that sensitive query param values (e.g., jwt or auth token) are displayed in full – either in a list view, ordered by URL, or on mouseover of some detail in a list of breadcrumbs.

In the sentry.client.config.js for our frontend (React - Next.js) app, we currently use the beforeBreadcrumb and beforeSend hooks to scrub sensitive values (including instances of a jwt param in URLs sent as part of a navigation or request breadcrumb, or in a stack trace). Is it possible to offer something like these hooks for Replays? Or some kind of config in the privacy & security settings that would address this?

Please let me know if more info / context would be helpful; happy to supply what i can. Thanks very much!

Please see the attachments below for details:

1️⃣ Entire jwt param visible on mouseover of URL in breadcrumb

Screenshot 2023-05-11 at 10 15 20 PM (1)

2️⃣ Example of jwt param obfuscated with beforeBreadcrumb or beforeSend

Screen Shot 2023-05-11 at 5 15 41 PM

3️⃣ Screen recording showing jwt revealed in full on mouseover
https://github.com/getsentry/sentry/assets/3287153/3f405d17-51b5-495e-8c86-6191d80db9e3

Solution Brainstorm

No response

Product Area

Replays
@getsantry
Copy link
Contributor

getsantry bot commented May 19, 2023

Assigning to @getsentry/support for routing, due by Monday, May 22nd at 12:13 pm (sfo). ⏲️

@getsantry
Copy link
Contributor

getsantry bot commented May 19, 2023

Routing to @getsentry/product-owners-replays for triage, due by Tuesday, May 23rd at 15:54 (yyz). ⏲️

@cmanallen
Copy link
Member

cmanallen commented May 22, 2023
edited
Loading

Hey @cielt there's a PR here for tracking: getsentry/relay#2143

This will use platform and user-defined regexes to scrub PII.

@ryan953 ryan953 mentioned this issue May 22, 2023
Merged
@cielt
Copy link
Author

cielt commented May 22, 2023

Super; thanks @cmanallen!

cmanallen added a commit to getsentry/relay that referenced this issue May 23, 2023
@cmanallen
feat(replays): Enable pii scrubbing for urls field (#2143)
af38513 
Fixes getsentry/sentry#49495
@github-actions github-actions bot locked and limited conversation to collaborators Jun 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cmanallen cmanallen

Labels
Product Area: Replays
Projects
GitHub Issues with 👀
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(replays): Enable pii scrubbing for urls field getsentry/relay
4 participants
@ryan953 @cielt @cmanallen @ReneGreen27