Sanitize sensitive data from URLs sent to Sentry

[smeubank]

Problem Statement

When we do HTTP requests to third party services we create a breadcrumb with the URL and also create a span that has the URL as a description (and also breadcrumbs including this URL are created.)

Solution Brainstorm

We created RFC-0038 to decide how to improve the current situation and creating a spec here: getsentry/develop#773

Make sure that all integrations that record outgoing or incoming HTTP request structure the data like described in the spec linked above.

original issue:

getsentry/sentry-python#1742

[github-actions]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[aldenquimby]

@smeubank my team recently noticed that our performance traces have span descriptions with sensitive data because of this integration:

new Sentry.Integrations.Http({ tracing: true }),

Example span description:

GET https://api.mywebsite.com/renew_access_token?key=SENSITIVE&token=SENSITIVE

Ideally those sensitive values would be auto-scrubbed server side

It looks to me like this is exactly what this issue is about? I'd be happy to help work on this, but I see there is no Help Wanted label. Would you be open to a PR on this, or do you already have plans to implement? I think the changes would center around http.ts

[HazAT]

@aldenquimby please go ahead an open a PR, they are always welcome :)

[aldenquimby]

@HazAT here you go! #7206

[cleptric]

#7667