Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ref(pii): Consider all token as sensitive [INGEST-1550] #1527

Merged
merged 4 commits into from
Oct 17, 2022
Merged

ref(pii): Consider all token as sensitive [INGEST-1550] #1527

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7b31558
ref(pii): consider all token as sensitive
olksdr Oct 13, 2022
b9fabf0
ref(pii): filter all the tokens by default
olksdr Oct 14, 2022
ffb06d0
Add CHANGELOG entries
olksdr Oct 17, 2022
d7f693a
Apply suggestions from code review
olksdr Oct 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

- Limit the number of custom measurements per event. ([#1483](https://github.com/getsentry/relay/pull/1483)))
- Add INP web vital as a measurement. ([#1487](https://github.com/getsentry/relay/pull/1487))
- Consider all tokens as sensitive, filter out all `*token*` from the input. ([#1527](https://github.com/getsentry/relay/pull/1527))
olksdr marked this conversation as resolved.
Show resolved Hide resolved

** Bug Fixes**:

Expand Down
1 change: 1 addition & 0 deletions py/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
- Add `transaction_info` to event payloads, including the transaction's source and internal original transaction name. ([#1330](https://github.com/getsentry/relay/pull/1330))
- Add user-agent parsing to replays processor. ([#1420](https://github.com/getsentry/relay/pull/1420))
- `convert_datascrubbing_config` will now return an error string when conversion fails on big regexes. ([#1474](https://github.com/getsentry/relay/pull/1474))
- Consider all tokens as sensitive, filter out all `*token*` from the input. ([#1527](https://github.com/getsentry/relay/pull/1527))
olksdr marked this conversation as resolved.
Show resolved Hide resolved

## 0.8.13

Expand Down
32 changes: 32 additions & 0 deletions relay-general/src/pii/convert.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1368,4 +1368,36 @@ THd+9FBxiHLGXNKhG/FRSyREXEt+NyYIf/0cyByc9tNksat794ddUqnLOg0vwSkv
let pii_config = pii_config.unwrap();
insta::assert_json_snapshot!(pii_config);
}

#[test]
fn test_safe_fields_for_token() {
let mut data = Event::from_value(
serde_json::json!({
"extra": {
"password": "foo",
"github_token": "bar",
"access_token": "quz",
"stripetoken": "baz",
"my-token": "secret",
"new_token": "hidden",
"secret-token-here": "ops"
}
})
.into(),
);
let pii_config = to_pii_config(&DataScrubbingConfig {
sensitive_fields: vec![],
exclude_fields: vec![
"GITHUB_TOKEN".to_owned(),
"access_token".to_owned(),
"stripetoken".to_owned(),
],
..simple_enabled_config()
});

let pii_config = pii_config.unwrap();
let mut pii_processor = PiiProcessor::new(pii_config.compiled());
process_value(&mut data, &mut pii_processor, ProcessingState::root()).unwrap();
assert_annotated_snapshot!(data);
}
}
2 changes: 1 addition & 1 deletion relay-general/src/pii/regexes.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,6 @@ static US_SSN_REGEX: Lazy<Regex> = Lazy::new(|| {

static PASSWORD_KEY_REGEX: Lazy<Regex> = Lazy::new(|| {
Regex::new(
r"(?i)(password|secret|passwd|api_key|apikey|access_token|auth|credentials|mysql_pwd|stripetoken|privatekey|private_key|github_token)"
r"(?i)(password|secret|passwd|api_key|apikey|auth|credentials|mysql_pwd|privatekey|private_key|.*token.*)"
).unwrap()
});
71 changes: 71 additions & 0 deletions ...-general/src/pii/snapshots/relay_general__pii__convert__tests__safe_fields_for_token.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
---
source: relay-general/src/pii/convert.rs
expression: data
---
{
"extra": {
"access_token": "quz",
"github_token": "bar",
"my-token": "[Filtered]",
"new_token": "[Filtered]",
"password": "[Filtered]",
"secret-token-here": "[Filtered]",
"stripetoken": "baz"
},
"_meta": {
"extra": {
"my-token": {
"": {
"rem": [
[
"@password:filter",
"s",
0,
10
]
],
"len": 6
}
},
"new_token": {
"": {
"rem": [
[
"@password:filter",
"s",
0,
10
]
],
"len": 6
}
},
"password": {
"": {
"rem": [
[
"@password:filter",
"s",
0,
10
]
],
"len": 3
}
},
"secret-token-here": {
"": {
"rem": [
[
"@password:filter",
"s",
0,
10
]
],
"len": 3
}
}
}
}
}