getsentry/sentry-dotnet

Url parameter secrets are not sanitized by default in ASP.NET

Closed this issue · 6 comments

Package

Sentry

.NET Flavor

.NET

.NET Version

8.0.0

OS

Any (not platform specific)

SDK Version

4.6.2

Self-Hosted Sentry Version

No response

Steps to Reproduce

  1. Create endpoint with an url parameter named secret
  2. Send trace using Sentry

Expected Result

Url parameter would be masked (like with user ids).

Actual Result

Url parameter is not masked and full unmasked path is send to Sentry.

Thanks for reaching out. That does sound like something that we probably should not do. Let me get back to you.

It looks like we have something to redact PII but nothing for secrets or sensitive information more generally:

if (!_options.SendDefaultPii)
{
processedTransaction.Redact();
}

If we did add something more generic to redact sensitive information, it would have to be flexible/configurable, as the kinds of things that indicate whether something is sensitive or not would definitely be culture specific and likely domain specific as well.

Possibly something like List<Regex> RedactUrlParameters on the SentryOptions.

Possibly something like List RedactUrlParameters on the SentryOptions.

I really like this idea. Let me check with the other SDKs if they have something like that in place.

I found an event scrubber on the Python SDK that has an extendable deny-list.

I found an event scrubber on the Python SDK that has an extendable deny-list.

Looks like that scrubs everything.

I can't see any reference to this in the Developer Docs but we could just mimic the behaviour of the Python SDK.