Scrubbing request Body FAILS
pitis opened this issue · comments
I am trying to sanitize some user input, and when I look into the Message
tab, passwords are scrubbed, but on the Occurences
tab I can see in plain text the password in message.extra.config.data
as well as custom.config.data
.
The data looks like this {user: {email: "email@email.com", password: "password_that_should_be_secret"}}
This is my rollbar config now:
import Rollbar, { Configuration } from "rollbar";
export const rollbarConfig: Configuration = {
accessToken: process.env.REACT_APP_ROLLBAR_CLIENT_TOKEN,
environment: process.env.REACT_APP_ENVIRONMENT,
captureIp: "anonymize",
enabled: true,
scrubRequestBody: true,
nodeSourceMaps: true,
scrubPaths: ["message.extra.config.data", "message.extra.config.data.user"],
captureUncaught: true,
captureUnhandledRejections: true,
payload: {
client: {
javascript: {
source_map_enabled: true,
guess_uncaught_frames: true,
},
},
},
};
const rollbar = new Rollbar(rollbarConfig);
export default rollbar;
So regarding this, there must be something wrong here.
P.S.: scrubRequestBody
is also missing from documentation. I really believe it should be updated.
@pitis The correct scrub paths for these keys would be:
scrubPaths: ["body.message.extra.config.data", "custom.config.data"]
More specific keys can be appended if the data are true object keys (not serialized):
scrubPaths: ["body.message.extra.config.data.user.password", "custom.config.data.user.password"]
The scrubber will generally only traverse object keys in the payload and will not try to parse and traverse serialized JSON strings. (There are a few exceptions where there is an expected probability of a JSON string being present, and it will try to detect and parse JSON strings in those limited cases.)
In this example, the keys user
and payload
are serialized and scrubPaths
or scrubFields
won't find them:
Rollbar.info('foo', { config: { data: "{\"user\":{\"password\":\"secret\"}}" } }
Thank you for the report about scrubRequestBody
. I've updated the configuration reference. Note that this flag is Node.js only, and is also true/enabled by default. Lastly, it only affects the request
key in the payload. For each of these reasons, it would not apply in this situation.
@waltjones thank you very much for the fast reply