search

getsentry / raven-python

Raven is the legacy Python client for Sentry (getsentry.com) — replaced by sentry-python
https://sentry.io
BSD 3-Clause "New" or "Revised" License
1.68k stars 657 forks source link

SanitizePasswordsProcessor and local vars #1253

Closed danlamanna closed 1 year ago

danlamanna commented 6 years ago

I'm experiencing an issue where values in certain locations are being masked by the SanitizePasswordsProcessor and not in others, namely in local variables pulled from stack traces.

The default regex for the processor is ^(?:\d[ -]*?){13,16}$ and when I have code such as this in my app:

@app.route('/')
def index():
    # masked correctly
    current_app.sentry.client.context.merge({'extra': {
        'example': '4242424242424242'}})

    # shows up in sentry wrapped in single quotes
    example_var = "4242424242424242"
    raise Exception('foo')

the example from the extra context is masked correctly with asterisks, and the example_var from the stack trace is in plain text with quotes around it. It appears when it enters the sanitize method it is a string wrapped in single quotes which fails SanitizePasswordsProcessor.VALUES_RE.

Version information:

Python 3.6.5
raven==6.8.0

Is this expected behavior?

ehfeng commented 6 years ago

You are correct. The current regex does not capture the string wrapped in quotes, which is often how it is represented in stack locals. That seems like more of an oversight, and I've opened up a PR for that.

As it may be some time before a new version is stamped, in the meantime I'd suggest subclassing it and adding this processor to app.config['SENTRY_PROCESSORS'] = (SanitizeStackLocalStringValuesProcessor, ...) (assuming you're using flask) alongside whatever other processors you might already be using.

class SanitizeStackLocalStringValuesProcessor(SanitizePasswordsProcessor):
    VALUES_RE = re.compile(r'^\'?(?:\d[ -]*?){13,16}\'?$')