Stack position: 2/10. Blocked by #3000**.**
Implement the shared, pure helper that all wiring PRs (RUBY request interface, third-party breadcrumbs, Rails subscribers) will consume to resolve which keys/values to send.
Scope
- Collection modes:
:off / :deny_list (default) / :allow_list.
:off → collect nothing
:deny_list → collect all keys; replace values whose key matches the sensitive denylist with [Filtered]
:allow_list → only listed keys send real values; everything else [Filtered]
- Built-in sensitive denylist (partial, case-insensitive substring match), per spec:
auth, token, secret, password, passwd, pwd, key, jwt, bearer, sso, saml, csrf, xsrf, credentials, session, sid, identity.
(e.g. auth matches Authorization and X-Auth-Token.)
- Applies to
cookies, http_headers, query_params.
Files
- new helper under
sentry-ruby/lib/sentry/data_collection/ (e.g. key_value_filter.rb + denylist)
- isolated unit spec
Tests
- Each mode; denylist partial/case-insensitive matching; allow-list precedence; non-string keys.
Security-sensitive: this is the core scrubbing primitive.
Stack position: 2/10. Blocked by #3000**.**
Implement the shared, pure helper that all wiring PRs (RUBY request interface, third-party breadcrumbs, Rails subscribers) will consume to resolve which keys/values to send.
Scope
:off/:deny_list(default) /:allow_list.:off→ collect nothing:deny_list→ collect all keys; replace values whose key matches the sensitive denylist with[Filtered]:allow_list→ only listed keys send real values; everything else[Filtered]auth,token,secret,password,passwd,pwd,key,jwt,bearer,sso,saml,csrf,xsrf,credentials,session,sid,identity.(e.g.
authmatchesAuthorizationandX-Auth-Token.)cookies,http_headers,query_params.Files
sentry-ruby/lib/sentry/data_collection/(e.g.key_value_filter.rb+ denylist)Tests
Security-sensitive: this is the core scrubbing primitive.