Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization header is not being filtered in events from inbound requests #1714

Closed
rmsy opened this issue Feb 8, 2022 · 1 comment · Fixed by #1717
Closed

Authorization header is not being filtered in events from inbound requests #1714

rmsy opened this issue Feb 8, 2022 · 1 comment · Fixed by #1717
Assignees
@st0012
Labels
sentry-ruby
Milestone
5.1.0

Comments

@rmsy
Copy link

rmsy commented Feb 8, 2022
edited
Loading

Issue Description

Hi 👋

In this documentation, it's stated that with sendDefaultPii false, the following happens:

When attaching HTTP requests to events, "raw" bodies (bodies which cannot be parsed as JSON or formdata) are removed, and known sensitive headers such as Authorization or Cookies are removed too.

I noticed that the Authorization header is sent as part of the request context for error and APM events, even with sendDefaultPii set to false (the Cookie header is not sent, however).

Reproduction Steps

  1. Create a new Rails project, with sentry-ruby and sentry-rails
  2. Initialize Sentry with a valid config, with send_default_pii not explicitly defined
  3. Make requests resulting in APM and error events, with an Authorization header present
  4. Observe that it is included in events sent to Sentry

Expected Behavior

With the send_default_pii default of false, the Authorization header is not sent to the server.

Actual Behavior

With the send_default_pii default of false, the Authorization header is sent to the server.

Ruby Version

2.7.4

SDK Version

4.8.2

Integration and Its Version

No response

Sentry Config

...
    config.send_default_pii = false
...

I'm sorry to raise two issues in a single week 😓, but I asked about this in discord and Bruno suggested the behavior was incorrect and to report it here, so I wanted to make sure to do that. Thank you for all the work you put into this SDK, Stan 🙂
@rmsy rmsy added the Type: Bug label Feb 8, 2022
@st0012 st0012 added this to the 5.1.0 milestone Feb 10, 2022
@st0012 st0012 mentioned this issue Feb 10, 2022
Merged
@st0012
Copy link
Collaborator

st0012 commented Feb 10, 2022

@rmsy don't feel sorry 😅 it's my fault to let you step on 2 bugs in a week! I'm sorry about that and I really appreciate you reported the issues with details. I've added a PR to fix this 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@st0012 st0012

Labels
sentry-ruby
Projects
None yet
Milestone
5.1.0
Development

Successfully merging a pull request may close this issue.

Skip authorization header when send_default_pii is false getsentry/sentry-ruby
3 participants
@rmsy @st0012 @stephanie-anderson