Closed cbl closed 3 years ago
@Cannonb4ll token
is added so csrf_token
will be filtered.
Oh no that is not true, thought a parameter will be filtered when it contains any of the words in blacklist.
Maybe add this behaviour? 🤔
What I meant was, the csrf_token
is an input hidden in laravel applications with a key called _token
which we want to filter out too.
Things like email
or similar information? To avoid any privacy issues.
@Cannonb4ll Yes I know. I added this to the other pr:
By this we can add string like *token*
or *password*
to the blacklist. So *token*
would also filter csrf_token
.
Things like
I think email
is something you might want to debug.
@cbl I missed that one, yes, then you can use wildcards which is great.
The email and name values are a issue as well I recon, might want to obfuscate smartly before sending to larabug?
I think email
and name
is not something you want to filter. And if you want to filter it you have the option to do so. The reason I added parameters is because I it is usefull to see those values for debugging. You should never give access to the exceptions to anyone that should not have access to private data of your application anyway.
Why won't you want to filter it by default? What use does user information have for exception logging? Problem is not access but sending that data to a third party, Larabug in this case.
From my experience with other exception tools, mainly ones for Android (Crashlytics), by default they never send user information unless you add it yourself.
Yes, you are right. This data should not be passed on to third parties by default. I will add this to the blacklist.
@Glennmen We really need to fix those tests.
@cbl Can you replace *username*
for *name*
? Its more broad.
I will try to look into it but this workflow wasn't made by me. I only did it for the Larabug app. But it shouldn't be blocking for this PR, I will fix it in a separate branch.
Can you also add
csrf_token
? @SebastiaanKloos @Glennmen If you have any other suggestions to blacklist for keys we do not want to hold let me know.