sentry-python icon indicating copy to clipboard operation
sentry-python copied to clipboard
verified publisher icon getsentry

event_scrubber doesn't scrub events

Open InterstellarStella opened this issue 6 months ago • 5 comments

How do you use Sentry?

Sentry Saas (sentry.io)

Version

2.29.1

Steps to Reproduce

import sentry_sdk
from sentry_sdk.scrubber import EventScrubber, DEFAULT_DENYLIST, DEFAULT_PII_DENYLIST

# custom denylist
denylist = DEFAULT_DENYLIST + ["my_sensitive_var", "color"]
pii_denylist = DEFAULT_PII_DENYLIST + ["my_private_var", "color"]

sentry_sdk.init(
    dsn="MY_DSN",
    send_default_pii=False,
    event_scrubber=EventScrubber(denylist=denylist, pii_denylist=pii_denylist, recursive=True),
    traces_sample_rate=1.0,
    profile_session_sample_rate=1.0,
    profile_lifecycle="trace",
)

Expected Result

When visiting the app through the browser, and adding the parameter ?color=red (ie. in my case http://127.0.0.1:8000/polls/error/?color=red), I would expect for it to be scrubbed in my Sentry event.

Actual Result

The color parameter does not get scrubbed. Image

Example event from my test org here.

InterstellarStella avatar Jun 04 '25 08:06 InterstellarStella

https://sentry.zendesk.com/agent/tickets/154071

InterstellarStella avatar Jun 04 '25 08:06 InterstellarStella

@InterstellarStella this is in the query string and the scrubber only applies to dictionary keys if they match the denylist, so unfortunately this is not supported.

They will have to scrub the query string in before_send or before_send_transaction if they want, sorry..

sl0thentr0py avatar Jun 04 '25 11:06 sl0thentr0py

@sl0thentr0py What do you mean by "only applies to dictionary keys if they match the denylist"?

The documentation says:

The default scrubber implementation will run automatically and filter anything in the denylist from potentially sensitive interfaces in the event payload.

The "potentially sensitive interfaces" text contains a link to data collected by the Python SDK, which lists HTTP Headers and Request Query String. We expect the query string values to be scrubbed by the default scrubber option.

rodolfoBee avatar Jun 04 '25 12:06 rodolfoBee

Then we'll need a breaking change to change the query string to a dictionary rather than sending it as a string. I can keep the issue open but if the user needs to fix this now, they'll need a before_send, it's not supported as of now.

The scrubber scrubs dictionaries for sensitive keys, it does not check each string value, that would be prohibitively expensive SDK side and can be done on relay via Server side data scrubbing. The SDK side scrubbing is only a convenience helper and will never be a full fledged solution for all kinds of cases.

In general, please encourage users to understand the server-side configuration and tooling available and not rely on the SDK for everything.

sl0thentr0py avatar Jun 04 '25 12:06 sl0thentr0py

If changing the SDK is causing breaking changes, we instead work on clarifying in the documentation how this is applied to events so users will have a better understanding of what to expect from it.

Created an issue for it: https://github.com/getsentry/sentry-docs/issues/13917

rodolfoBee avatar Jun 04 '25 12:06 rodolfoBee