Closed bilfeldt closed 2 years ago
You've pasted yourself what is the purpose of the dontFlash
property:
/**
* A list of the inputs that are never flashed for validation exceptions.
*
* @var array
*/
protected $dontFlash
The only usage of it is in \Illuminate\Foundation\Exceptions\Handler::invalid
:
protected function invalid($request, ValidationException $exception)
{
return redirect($exception->redirectTo ?? url()->previous())
->withInput(Arr::except($request->input(), $this->dontFlash))
->withErrors($exception->errors(), $request->input('_error_bag', $exception->errorBag));
}
And it does exactly what it says it would do.
What does session flashing for validation exceptions have to do with Sentry logging?
Saying that the dontFlash
property is not honored does not make sense as Sentry logging and validation session flashing are two completely unrelated functionalities so IMO this issue should be closed.
I agree that $dontFlash
should not affect how Sentry handles and reports exceptions, it is a Laravel feature and doesn't translate to what Sentry does since "flashing" is a whole other operation than loggin data about the request.
You can read more about how to scrub data from Sentry reports here: https://docs.sentry.io/platforms/php/guides/laravel/data-management/sensitive-data/.
I agree that
$dontFlash
should not affect how Sentry handles and reports exceptions, it is a Laravel feature and doesn't translate to what Sentry does since "flashing" is a whole other operation than loggin data about the request.
it seems like I misinterpreted the configuration option $dontFlash
since indeed this config is solely regarding the flashing of validation exception data.
You can read more about how to scrub data from Sentry reports here: https://docs.sentry.io/platforms/php/guides/laravel/data-management/sensitive-data/.
It seems that the before_send
hook is indeed capable of filtering out sensitive data from the request.
This is clearly not a but after all @stayallive, sorry about the misunderstanding. That being said would it not be beneficial for this dedicated Laravel Sentry package to provide a super easy and intuitive configuration option for filtering out sensitive data from the requests given that this is in fact already the recommended way of dealing with sensitive data according to the Sentry specs? That way every user would not have to write own filtering logic, but instead a simply array of fields could be provided:
Using
before_send
in the SDKs to scrub any data before it is sent is the recommended scrubbing approach, so sensitive data never leaves the local environment.
Environment
How do you use Sentry? Laravel package
Which SDK and version? sentry/sentry-laravel:2.11.1
Steps to Reproduce
app/Exceptions/Handler.php@report
test
to the property$dontFlash
of the fileapp/Exceptions/Handler.php
vendor/sentry/sentry/src/Transport/HttpTransport.php@L107
like so:/dev/runtime-exception?test=foo-bar
which simply throws a Runtime Exception:Expected Result
The payload being transported to Sentry should not have the
test
parameter value "foo-bar" present in the payload being transported to Sentry but it does.Actual Result
This is the payload being sent:
Note that the parameter is present in the
request.url
andrequest.query_string
. I would have expected those to be replaced by asterisks or something like that: