sentry-javascript
sentry-javascript copied to clipboard
Cookies are being sent in an error-report by default in Express app
Is there an existing issue for this?
- [X] I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
- [X] I have reviewed the documentation https://docs.sentry.io/
- [X] I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases
How do you use Sentry?
Self-hosted/on-premise
Which package are you using?
@sentry/node
SDK Version
7.7.0
Framework Version
7.7.0
Link to Sentry event
No response
Steps to Reproduce
Using @sentry/node
, Sentry.Handlers.requestHandler
does not clean up cookie sent in the headers, from express-based app by default.
We are using a React-app with express-server dealing with SSR.
In case of SSR-errors, @sentry/node is being used for handling errors.
According to documentation, passing this options object: { request: ['headers', 'method', 'query_string', 'url'] }
in Sentry.Handlers.requestHandler
, will NOT include cookies into the payload with an error-event sent to Sentry.
In our case it does and Sentry parses it as if we would actually pass the 'cookies' key into the options.request array.
Here is code to reproduce this in a basic express-app:
const Sentry = require('@sentry/node');
const app = require('express')();
const port = 3000;
Sentry.init({
dsn: DSN_KEY,
autoSessionTracking: false,
release: RELEASE,
beforeSend(event) {
console.log(event); // Will have cookie prop in the headers.
},
});
app.use(Sentry.Handlers.requestHandler({
request: ['headers', 'method', 'query_string', 'url'],
}));
app.get('/', (req, res) => {
throw new Error('pep, an error');
res.send('Hello World!');
});
app.use(Sentry.Handlers.errorHandler({
shouldHandleError() {
return true;
},
}));
app.listen(port, () => {
console.log(`Example app listening on port ${port}`);
});
Expected Result
Not passing 'cookies' key in the options.request
array will clean up cookies from headers.
Actual Result
While not passing cookies
key in the options.request
we still get cookies in the reports, being sent to Sentry.
Hi @ozerovs, thanks for writing in! We had a quick look at this issue and there might be something wrong on our end. We still need to look into it in greater detail. Backlogging this for now - thanks for reporting!
So has this issue had any progress made on it? I have the same problem and I now have PII in my sentry errors, which I really do not want.
Hi @thijs and apologies for the delay! We're looking into it right now.
Hi @thijs and @ozerovs,
I looked into this (thanks for the reproduction instruction) and found that the Sentry.requestHandler
middleware is indeed adding the Cookie
Http header to event.request.headers
, even if cookies
is explicitly not set in the middleware's options. I just opened a PR (#5898) to fix this.
Can you confirm that cookies were only wrongfully present in event.request.headers
but not in event.request.cookies
?
This was auto-closed by GH after merging the PR. Let me know if this PR doesn't entirely solve your issue (see my comment above) then I'll reopen this issue. We'll release this in the next patch.