fix: filter extra even without request (#14)

mrexox · Jan 27, 2025 · 2341bf8 · 2341bf8
1 parent ac6a7b6
commit 2341bf8
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 26 deletions.
diff --git a/.github/workflows/ci-macos.yml b/.github/workflows/ci-macos.yml
@@ -6,7 +6,7 @@ on:
 jobs:
   rspec:
     name: Unit tests
-    runs-on: macos-latest
+    runs-on: macos-13
     strategy:
       matrix:
         include:

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -8,7 +8,8 @@ GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.2)
-    concurrent-ruby (1.1.10)
+    bigdecimal (3.1.9)
+    concurrent-ruby (1.3.5)
     diff-lcs (1.5.0)
     docile (1.4.0)
     parallel (1.23.0)
@@ -44,7 +45,8 @@ GEM
     rubocop-ast (1.29.0)
       parser (>= 3.2.1.0)
     ruby-progressbar (1.13.0)
-    sentry-ruby (5.4.1)
+    sentry-ruby (5.22.2)
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
     simplecov (0.18.5)
       docile (~> 1.1)

diff --git a/lib/sentry/sanitizer/cleaner.rb b/lib/sentry/sanitizer/cleaner.rb
@@ -20,34 +20,42 @@ def initialize(config)
       end
 
       def call(event)
-        if event.is_a?(Sentry::Event)
-          sanitize(event, :object) if event.request
-        elsif event.is_a?(Hash)
-          sanitize(event, :stringified_hash) if event["request"]
-          sanitize(event, :symbolized_hash) if event[:request]
+        case event
+        when Sentry::Event
+          sanitize(event, :event)
+        when Hash
+          sanitize(event, :hash)
         end
       end
 
-      def sanitize(event, type)
+      def sanitize(event, type) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
         case type
-        when :object
-          event.request.data = sanitize_data(event.request.data)
-          event.request.headers = sanitize_headers(event.request.headers)
-          event.request.cookies = sanitize_cookies(event.request.cookies)
-          event.request.query_string = sanitize_query_string(event.request.query_string)
+        when :event
+          if event.request
+            event.request.data = sanitize_data(event.request.data)
+            event.request.headers = sanitize_headers(event.request.headers)
+            event.request.cookies = sanitize_cookies(event.request.cookies)
+            event.request.query_string = sanitize_query_string(event.request.query_string)
+          end
           event.extra = sanitize_data(event.extra)
-        when :stringified_hash
-          event["request"]["data"] = sanitize_data(event["request"]["data"])
-          event["request"]["headers"] = sanitize_headers(event["request"]["headers"])
-          event["request"]["cookies"] = sanitize_cookies(event["request"]["cookies"])
-          event["request"]["query_string"] = sanitize_query_string(event["request"]["query_string"])
-          event["extra"] = sanitize_data(event["extra"])
-        when :symbolized_hash
-          event[:request][:data] = sanitize_data(event[:request][:data])
-          event[:request][:headers] = sanitize_headers(event[:request][:headers])
-          event[:request][:cookies] = sanitize_cookies(event[:request][:cookies])
-          event[:request][:query_string] = sanitize_query_string(event[:request][:query_string])
-          event[:extra] = sanitize_data(event[:extra])
+        when :hash
+          if event["request"]
+            event["request"]["data"] = sanitize_data(event["request"]["data"])
+            event["request"]["headers"] = sanitize_headers(event["request"]["headers"])
+            event["request"]["cookies"] = sanitize_cookies(event["request"]["cookies"])
+            event["request"]["query_string"] = sanitize_query_string(event["request"]["query_string"])
+          elsif event[:request]
+            event[:request][:data] = sanitize_data(event[:request][:data])
+            event[:request][:headers] = sanitize_headers(event[:request][:headers])
+            event[:request][:cookies] = sanitize_cookies(event[:request][:cookies])
+            event[:request][:query_string] = sanitize_query_string(event[:request][:query_string])
+          end
+
+          if event["extra"]
+            event["extra"] = sanitize_data(event["extra"])
+          elsif event[:extra]
+            event[:extra] = sanitize_data(event[:extra])
+          end
         end
       end
 

diff --git a/spec/sentry/sanitizer/cleaner_spec.rb b/spec/sentry/sanitizer/cleaner_spec.rb
@@ -15,6 +15,23 @@
     Sentry.configuration
   end
 
+  context "without a request" do
+    before do
+      Sentry.init do |config|
+        config.sanitize.fields = [:password]
+      end
+    end
+
+    it "clears extra fields" do
+      subject.call(event)
+
+      expect(event.extra).to match a_hash_including(
+        password: Sentry::Sanitizer::Cleaner::DEFAULT_MASK,
+        not_password: "NOT SECRET"
+      )
+    end
+  end
+
   context "GET request" do
     before do
       Sentry.init do |config|
@@ -233,6 +250,46 @@
           not_password: "NOT SECRET"
         )
       end
+
+      context "with Sentry::ErrorEvent" do
+        let(:event) do
+          Sentry::ErrorEvent.new(configuration: configuration).tap do |e|
+            e.extra = ({ password: "SECRET", not_password: "NOT SECRET" })
+          end
+        end
+
+        it "filters everything according to configuration" do
+          subject.call(event)
+
+          expect(event.request.data).to match a_hash_including(
+            "password" => Sentry::Sanitizer::Cleaner::DEFAULT_MASK,
+            "secret_token" => Sentry::Sanitizer::Cleaner::DEFAULT_MASK,
+            "oops" => "OOPS",
+            "hmm" => [
+              a_hash_including(
+                "password" => Sentry::Sanitizer::Cleaner::DEFAULT_MASK,
+                "array" => "too"
+              )
+            ]
+          )
+          expect(event.request.headers).to match a_hash_including(
+            "H-1" => Sentry::Sanitizer::Cleaner::DEFAULT_MASK,
+            "H-2" => Sentry::Sanitizer::Cleaner::DEFAULT_MASK,
+            "H-3" => "secret3",
+            "Authorization" => "token",
+            "X-Xsrf-Token" => "xsrf=token"
+          )
+          expect(event.request.cookies).to match a_hash_including(
+            "cookie1" => Sentry::Sanitizer::Cleaner::DEFAULT_MASK,
+            "cookie2" => Sentry::Sanitizer::Cleaner::DEFAULT_MASK,
+            "cookie3" => Sentry::Sanitizer::Cleaner::DEFAULT_MASK
+          )
+          expect(event.extra).to match a_hash_including(
+            password: Sentry::Sanitizer::Cleaner::DEFAULT_MASK,
+            not_password: "NOT SECRET"
+          )
+        end
+      end
     end
 
     context "cleaning all headers" do