From 3ddbb5f50c0827d1040b37623cce7a37a93f945a Mon Sep 17 00:00:00 2001
From: Markus Hintersteiner <markus.hintersteiner@sentry.io>
Date: Fri, 22 Dec 2023 13:59:06 +0100
Subject: [PATCH] Fix remove route params from txn context, as they may leak
 PII data (#3487)

---
 CHANGELOG.md                           |  7 +++++++
 src/js/tracing/reactnavigation.ts      |  6 ++++--
 src/js/tracing/reactnavigationv4.ts    |  6 ++++--
 test/tracing/reactnavigation.test.ts   |  2 +-
 test/tracing/reactnavigationv4.test.ts | 14 +++++---------
 5 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0a6b0c819e..e84bdbe9f2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## Unreleased
+
+### Fixes
+
+- Stop sending navigation route params for auto-generated transactions, as they may contain PII or other sensitive data ([#3487](https://github.com/getsentry/sentry-react-native/pull/3487))
+  - Further details and other strategies to mitigate this issue can be found on our [trouble shooting guide page](https://docs.sentry.io/platforms/react-native/troubleshooting/#routing-transaction-data-contains-sensitive-information)
+
 ## 5.15.1
 
 ### Fixes
diff --git a/src/js/tracing/reactnavigation.ts b/src/js/tracing/reactnavigation.ts
index 54ad946fcd..1504eb45cd 100644
--- a/src/js/tracing/reactnavigation.ts
+++ b/src/js/tracing/reactnavigation.ts
@@ -196,14 +196,16 @@ export class ReactNavigationInstrumentation extends InternalRoutingInstrumentati
             route: {
               name: route.name,
               key: route.key,
-              params: route.params ?? {},
+              // TODO: filter PII params instead of dropping them all
+              params: {},
               hasBeenSeen: routeHasBeenSeen,
             },
             previousRoute: previousRoute
               ? {
                   name: previousRoute.name,
                   key: previousRoute.key,
-                  params: previousRoute.params ?? {},
+                  // TODO: filter PII params instead of dropping them all
+                  params: {},
                 }
               : null,
           };
diff --git a/src/js/tracing/reactnavigationv4.ts b/src/js/tracing/reactnavigationv4.ts
index 8d7f302558..789375f50e 100644
--- a/src/js/tracing/reactnavigationv4.ts
+++ b/src/js/tracing/reactnavigationv4.ts
@@ -264,14 +264,16 @@ class ReactNavigationV4Instrumentation extends InternalRoutingInstrumentation {
       route: {
         name: route.routeName, // Include name here too for use in `beforeNavigate`
         key: route.key,
-        params: route.params ?? {},
+        // TODO: filter PII params instead of dropping them all
+        params: {},
         hasBeenSeen: this._recentRouteKeys.includes(route.key),
       },
       previousRoute: previousRoute
         ? {
             name: previousRoute.routeName,
             key: previousRoute.key,
-            params: previousRoute.params ?? {},
+            // TODO: filter PII params instead of dropping them all
+            params: {},
           }
         : null,
     };
diff --git a/test/tracing/reactnavigation.test.ts b/test/tracing/reactnavigation.test.ts
index f2f2449857..de13ee7900 100644
--- a/test/tracing/reactnavigation.test.ts
+++ b/test/tracing/reactnavigation.test.ts
@@ -123,7 +123,7 @@ describe('ReactNavigationInstrumentation', () => {
           route: {
             name: route.name,
             key: route.key,
-            params: route.params,
+            params: {}, // expect the data to be stripped
             hasBeenSeen: false,
           },
           previousRoute: {
diff --git a/test/tracing/reactnavigationv4.test.ts b/test/tracing/reactnavigationv4.test.ts
index ce84cdf2ad..061102ed25 100644
--- a/test/tracing/reactnavigationv4.test.ts
+++ b/test/tracing/reactnavigationv4.test.ts
@@ -119,7 +119,7 @@ describe('ReactNavigationV4Instrumentation', () => {
       route: {
         name: firstRoute.routeName,
         key: firstRoute.key,
-        params: firstRoute.params,
+        params: {}, // expect the data to be stripped
         hasBeenSeen: false,
       },
       previousRoute: null,
@@ -169,15 +169,13 @@ describe('ReactNavigationV4Instrumentation', () => {
         route: {
           name: action.routeName,
           key: action.key,
-          params: action.params,
+          params: {}, // expect the data to be stripped
           hasBeenSeen: false,
         },
         previousRoute: {
           name: 'Initial Route',
           key: 'route0',
-          params: {
-            hello: true,
-          },
+          params: {}, // expect the data to be stripped
         },
       },
     });
@@ -230,15 +228,13 @@ describe('ReactNavigationV4Instrumentation', () => {
         route: {
           name: action.routeName,
           key: action.key,
-          params: action.params,
+          params: {}, // expect the data to be stripped
           hasBeenSeen: false,
         },
         previousRoute: {
           name: 'Initial Route',
           key: 'route0',
-          params: {
-            hello: true,
-          },
+          params: {}, // expect the data to be stripped
         },
       },
       sampled: false,