getsentry
Some concerns about PII: send_default_pii not being completely used, silent update on transactions capture with potential PII
Issue Description
I report some concerns about PII, after discovering some data on Sentry that I didn't know was captured.
I enabled Sentry Transaction/Performance 2 years ago. At this time, only the controller action were reported if I am not mistaken. Some month ago, I upgraded from 5.7.0 to 5.16.1. I usually read the changelog to check for any important changes, particularly around PII.
I discovered some weeks ago that the params of the controller actions are now captured. Some investigation on my side showed that this is coming from https://github.com/getsentry/sentry-ruby/pull/1973, which was reported as "Fix sentry-rails' controller span nesting", without mentioning this update on capture if I am not mistaken. This PR was introduced in 5.8.0.
Also, the send_default_pii option (https://docs.sentry.io/platforms/ruby/configuration/options/#send-default-pii) is presented as is:
When its value is false (the default), sensitive information like:
- user ip
- user cookie
- request body
- query string in the url
won't be sent to Sentry.
which is not true here, as params is the body of the request. I expect this option to hide params in transactions, and probably in other parts.
What's your point of view? Did I miss something in the release notes or any other news channel?
Reproduction Steps
- upgrade from 5.7.0 to 5.16.1,
- params are added as span tags,
- content is displayed on Sentry interface.
Expected Behavior
- changelog mentioning any changes that may impact PII or any other data captured,
- see these changes as breaking changes, and thus upgrading the version accordingly.
Actual Behavior
- changelog not mentioning this critical change in captured data,
- version not increased accordingly.
Ruby Version
3.3.4
SDK Version
5.21.0
Integration and Its Version
No response
Sentry Config
No response
