feat(node) Sanitize URLs in Span descriptions and breadcrumbs (PII) #7206
Conversation
Replay SDK metrics 🚀
develop |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Revision | LCP | CLS | CPU | JS heap avg | JS heap max | netTx | netRx | netCount | netTime |
|---|---|---|---|---|---|---|---|---|---|
| 1cf8988 | +53.81 ms | -0.00 ms | +4.80 pp | +929.88 kB | +1.05 MB | +2.22 kB | +41 B | +1 | +91.07 ms |
| 68655e3 | +72.60 ms | +0.00 ms | +7.90 pp | +922.72 kB | +1.04 MB | +2.22 kB | +41 B | +1 | +109.40 ms |
| a8449de | +58.27 ms | -0.00 ms | +7.12 pp | +927.42 kB | +1.05 MB | +2.2 kB | +41 B | +1 | +98.31 ms |
| 79babe9 | +58.69 ms | -0.00 ms | +4.40 pp | +927.46 kB | +1.06 MB | +2.23 kB | +41 B | +1 | +103.20 ms |
| 5359ba9 | +55.62 ms | -0.00 ms | +4.29 pp | +935.26 kB | +1.05 MB | +2.2 kB | +41 B | +1 | +79.05 ms |
Last updated: Thu, 16 Feb 2023 20:05:52 GMT
It's a bit of both. One of the goals of the RFC was to enable better server-side scrubbing by moving the data into a structured format. And it will also allow us to apply better client-side scrubbing in the future. |
Co-authored-by: Michi Hoffmann <[email protected]>
Co-authored-by: Michi Hoffmann <[email protected]>
aldenquimby
requested review from
cleptric and
antonpirker
and removed request for
cleptric and
antonpirker
|
Just wanted to note that my org is really looking forward to this landing as well! Thanks @aldenquimby and Sentry folks for putting this work together. |
|
@antonpirker @cleptric is there anything else you'd like to see here to get this over the finish line? Appreciate the help, we're excited to remove sensitive info from our perf traces |
cleptric
requested review from
a team,
lforst and
Lms24
and removed request for
a team
|
@aldenquimby Assigned the FE team, which takes care of the JS SDK. |
There was a problem hiding this comment.
Hi @aldenquimby, thanks for opening this PR, really appreciate it! Your changes LGTM. I left a few comments regarding your questions and a small remark. Once they are addressed we'll merge this and include it in the next release.
Lms24
changed the title
|
@Lms24 all changes made! You could argue we shouldn't deprecate rawUrl at all, and that user-controlled span/attachment filters should have full access to unsanitized URLs. If you'd prefer that I can do another small refactor to remove the deprecation and reuse a little more of the code. As it stands I tried to make rawUrl easy to delete in a future version |
Hey @aldenquimby you're right about the deprecation being unnecessary. We discussed this internally and we think passing the raw url to the filter function is fine, also in the future. So yes, please if you have time, go ahead and make that change :) Sorry for the back and forth and thanks for your patience! :) |
As of getsentry/sentry-javascript#7206 the Node.js SDK will not append search parameters to the span's description or the URL. Instead, the search parameters will be in the `http.query` key.
|
Closing in favour of #7667 where I just added some comments and removed the deprecation. |
Fixes #6389
My understanding of getsentry/develop#773 is that scrubbing will happen server side, but getsentry/sentry-python#1876 seems to do the scrubbing client side? #5347 could be related. Even if we do want client-side scrubbing, this PR could be a good first step.
First time contributing
Before submitting a pull request, please take a look at our Contributing guidelines and verify:
yarn lint) & (yarn test).