Giters

rollbar / rollbar.js

Error tracking and logging from Javascript to Rollbar

Home Page:https://docs.rollbar.com/docs/javascript

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Scrubbing request Body FAILS

pitis opened this issue · comments

commented

I am trying to sanitize some user input, and when I look into the Message tab, passwords are scrubbed, but on the Occurences tab I can see in plain text the password in message.extra.config.data as well as custom.config.data.
The data looks like this {user: {email: "email@email.com", password: "password_that_should_be_secret"}}

This is my rollbar config now:

import Rollbar, { Configuration } from "rollbar";

export const rollbarConfig: Configuration = {
  accessToken: process.env.REACT_APP_ROLLBAR_CLIENT_TOKEN,
  environment: process.env.REACT_APP_ENVIRONMENT,
  captureIp: "anonymize",
  enabled: true,
  scrubRequestBody: true,
  nodeSourceMaps: true,
  scrubPaths: ["message.extra.config.data", "message.extra.config.data.user"],
  captureUncaught: true,
  captureUnhandledRejections: true,
  payload: {
    client: {
      javascript: {
        source_map_enabled: true,
        guess_uncaught_frames: true,
      },
    },
  },
};

const rollbar = new Rollbar(rollbarConfig);

export default rollbar;

So regarding this, there must be something wrong here.

P.S.: scrubRequestBody is also missing from documentation. I really believe it should be updated.

commented

@pitis The correct scrub paths for these keys would be:

scrubPaths: ["body.message.extra.config.data", "custom.config.data"]

More specific keys can be appended if the data are true object keys (not serialized):

scrubPaths: ["body.message.extra.config.data.user.password", "custom.config.data.user.password"]

The scrubber will generally only traverse object keys in the payload and will not try to parse and traverse serialized JSON strings. (There are a few exceptions where there is an expected probability of a JSON string being present, and it will try to detect and parse JSON strings in those limited cases.)

In this example, the keys user and payload are serialized and scrubPaths or scrubFields won't find them:

Rollbar.info('foo', { config: { data: "{\"user\":{\"password\":\"secret\"}}" } }

Thank you for the report about scrubRequestBody. I've updated the configuration reference. Note that this flag is Node.js only, and is also true/enabled by default. Lastly, it only affects the request key in the payload. For each of these reasons, it would not apply in this situation.

commented

@waltjones thank you very much for the fast reply