Skip to content

feat(pii): Sensitive denylist + key-value collection modes helper #3001

Description

@sl0thentr0py

Stack position: 2/10. Blocked by #3000**.**

Implement the shared, pure helper that all wiring PRs (RUBY request interface, third-party breadcrumbs, Rails subscribers) will consume to resolve which keys/values to send.

Scope

  • Collection modes: :off / :deny_list (default) / :allow_list.
    • :off → collect nothing
    • :deny_list → collect all keys; replace values whose key matches the sensitive denylist with [Filtered]
    • :allow_list → only listed keys send real values; everything else [Filtered]
  • Built-in sensitive denylist (partial, case-insensitive substring match), per spec:
    auth, token, secret, password, passwd, pwd, key, jwt, bearer, sso, saml, csrf, xsrf, credentials, session, sid, identity.
    (e.g. auth matches Authorization and X-Auth-Token.)
  • Applies to cookies, http_headers, query_params.

Files

  • new helper under sentry-ruby/lib/sentry/data_collection/ (e.g. key_value_filter.rb + denylist)
  • isolated unit spec

Tests

  • Each mode; denylist partial/case-insensitive matching; allow-list precedence; non-string keys.

Security-sensitive: this is the core scrubbing primitive.

Metadata

Metadata

Assignees

Labels

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions