Merge pull request #2359 from getsentry/release/6.7.0

vaind · adinauer · commit ed0476f0f711 · 2022-11-15T17:55:43.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # Changelog
 
-## Unreleased
+## 6.7.0
 
 ### Fixes
 
diff --git a/sentry-android-okhttp/src/main/java/io/sentry/android/okhttp/SentryOkHttpInterceptor.kt b/sentry-android-okhttp/src/main/java/io/sentry/android/okhttp/SentryOkHttpInterceptor.kt
@@ -16,6 +16,7 @@ import io.sentry.exception.SentryHttpClientException
 import io.sentry.protocol.Mechanism
 import io.sentry.util.HttpUtils
 import io.sentry.util.PropagationTargetsUtils
+import io.sentry.util.UrlUtils
 import okhttp3.Headers
 import okhttp3.Interceptor
 import okhttp3.Request
@@ -53,7 +54,7 @@ class SentryOkHttpInterceptor(
     override fun intercept(chain: Interceptor.Chain): Response {
         var request = chain.request()
 
-        val url = request.url.toString()
+        val url = UrlUtils.maybeStripSensitiveDataFromUrl(request.url.toString(), hub.options.isSendDefaultPii)
         val method = request.method
 
         // read transaction from the bound scope
@@ -96,7 +97,8 @@ class SentryOkHttpInterceptor(
         } finally {
             finishSpan(span, request, response)
 
-            val breadcrumb = Breadcrumb.http(request.url.toString(), request.method, code)
+            val url = UrlUtils.maybeStripSensitiveDataFromUrl(request.url.toString(), hub.options.isSendDefaultPii)
+            val breadcrumb = Breadcrumb.http(url, request.method, code)
             request.body?.contentLength().ifHasValidLength {
                 breadcrumb.setData("request_body_size", it)
             }
@@ -180,7 +182,7 @@ class SentryOkHttpInterceptor(
         hint.set(OKHTTP_RESPONSE, response)
 
         val sentryRequest = io.sentry.protocol.Request().apply {
-            url = requestUrl
+            url = UrlUtils.maybeStripSensitiveDataFromUrl(requestUrl, hub.options.isSendDefaultPii)
             // Cookie is only sent if isSendDefaultPii is enabled
             cookies = if (hub.options.isSendDefaultPii) request.headers["Cookie"] else null
             method = request.method
diff --git a/sentry-apollo-3/src/main/java/io/sentry/apollo3/SentryApollo3HttpInterceptor.kt b/sentry-apollo-3/src/main/java/io/sentry/apollo3/SentryApollo3HttpInterceptor.kt
@@ -17,6 +17,7 @@ import io.sentry.SentryLevel
 import io.sentry.SpanStatus
 import io.sentry.TypeCheckHint
 import io.sentry.util.PropagationTargetsUtils
+import io.sentry.util.UrlUtils
 
 class SentryApollo3HttpInterceptor @JvmOverloads constructor(private val hub: IHub = HubAdapter.getInstance(), private val beforeSpan: BeforeSpanCallback? = null) :
     HttpInterceptor {
@@ -80,7 +81,7 @@ class SentryApollo3HttpInterceptor @JvmOverloads constructor(private val hub: IH
     }
 
     private fun startChild(request: HttpRequest, activeSpan: ISpan): ISpan {
-        val url = request.url
+        val url = UrlUtils.maybeStripSensitiveDataFromUrl(request.url, hub.options.isSendDefaultPii)
         val method = request.method
 
         val operationName = operationNameFromHeaders(request)
@@ -121,8 +122,9 @@ class SentryApollo3HttpInterceptor @JvmOverloads constructor(private val hub: IH
         }
         span.finish()
 
+        val url = UrlUtils.maybeStripSensitiveDataFromUrl(request.url, hub.options.isSendDefaultPii)
         val breadcrumb =
-            Breadcrumb.http(request.url, request.method.name, statusCode)
+            Breadcrumb.http(url, request.method.name, statusCode)
 
         request.body?.contentLength.ifHasValidLength { contentLength ->
             breadcrumb.setData("request_body_size", contentLength)
diff --git a/sentry-apollo/src/main/java/io/sentry/apollo/SentryApolloInterceptor.kt b/sentry-apollo/src/main/java/io/sentry/apollo/SentryApolloInterceptor.kt
@@ -21,6 +21,7 @@ import io.sentry.SentryLevel
 import io.sentry.SpanStatus
 import io.sentry.TypeCheckHint.APOLLO_REQUEST
 import io.sentry.TypeCheckHint.APOLLO_RESPONSE
+import io.sentry.util.UrlUtils
 import java.util.concurrent.Executor
 
 class SentryApolloInterceptor(
@@ -114,7 +115,8 @@ class SentryApolloInterceptor(
                 val httpResponse = it.httpResponse.get()
                 val httpRequest = httpResponse.request()
 
-                val breadcrumb = Breadcrumb.http(httpRequest.url().toString(), httpRequest.method(), httpResponse.code())
+                val url = UrlUtils.maybeStripSensitiveDataFromUrl(httpRequest.url().toString(), hub.options.isSendDefaultPii)
+                val breadcrumb = Breadcrumb.http(url, httpRequest.method(), httpResponse.code())
 
                 httpRequest.body()?.contentLength().ifHasValidLength { contentLength ->
                     breadcrumb.setData("request_body_size", contentLength)
diff --git a/sentry-openfeign/src/main/java/io/sentry/openfeign/SentryFeignClient.java b/sentry-openfeign/src/main/java/io/sentry/openfeign/SentryFeignClient.java
@@ -15,6 +15,7 @@
 import io.sentry.SpanStatus;
 import io.sentry.util.Objects;
 import io.sentry.util.PropagationTargetsUtils;
+import io.sentry.util.UrlUtils;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -50,7 +51,9 @@ public Response execute(final @NotNull Request request, final @NotNull Request.O
       }
 
       ISpan span = activeSpan.startChild("http.client");
-      String url = request.url();
+      final @NotNull String url =
+          UrlUtils.maybeStripSensitiveDataFromUrl(
+              request.url(), hub.getOptions().isSendDefaultPii());
       span.setDescription(request.httpMethod().name() + " " + url);
 
       final RequestWrapper requestWrapper = new RequestWrapper(request);
@@ -99,11 +102,11 @@ public Response execute(final @NotNull Request request, final @NotNull Request.O
   }
 
   private void addBreadcrumb(final @NotNull Request request, final @Nullable Response response) {
+    final @NotNull String url =
+        UrlUtils.maybeStripSensitiveDataFromUrl(request.url(), hub.getOptions().isSendDefaultPii());
     final Breadcrumb breadcrumb =
         Breadcrumb.http(
-            request.url(),
-            request.httpMethod().name(),
-            response != null ? response.status() : null);
+            url, request.httpMethod().name(), response != null ? response.status() : null);
     breadcrumb.setData("request_body_size", request.body() != null ? request.body().length : 0);
     if (response != null && response.body() != null && response.body().length() != null) {
       breadcrumb.setData("response_body_size", response.body().length());
diff --git a/sentry-spring-jakarta/src/main/java/io/sentry/spring/jakarta/tracing/SentrySpanClientHttpRequestInterceptor.java b/sentry-spring-jakarta/src/main/java/io/sentry/spring/jakarta/tracing/SentrySpanClientHttpRequestInterceptor.java
@@ -14,6 +14,8 @@
 import io.sentry.SpanStatus;
 import io.sentry.util.Objects;
 import io.sentry.util.PropagationTargetsUtils;
+import io.sentry.util.UrlUtils;
+
 import java.io.IOException;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
@@ -47,7 +49,8 @@ public SentrySpanClientHttpRequestInterceptor(final @NotNull IHub hub) {
       final ISpan span = activeSpan.startChild("http.client");
       final String methodName =
           request.getMethod() != null ? request.getMethod().name() : "unknown";
-      span.setDescription(methodName + " " + request.getURI());
+      final @NotNull String url = UrlUtils.maybeStripSensitiveDataFromUrl(request.getURI().toString(), hub.getOptions().isSendDefaultPii());
+      span.setDescription(methodName + " " + url);
 
       final SentryTraceHeader sentryTraceHeader = span.toSentryTrace();
 
@@ -87,9 +90,10 @@ private void addBreadcrumb(
       final @Nullable Integer responseStatusCode,
       final @Nullable ClientHttpResponse response) {
     final String methodName = request.getMethod() != null ? request.getMethod().name() : "unknown";
+    final @NotNull String url = UrlUtils.maybeStripSensitiveDataFromUrl(request.getURI().toString(), hub.getOptions().isSendDefaultPii());
 
     final Breadcrumb breadcrumb =
-        Breadcrumb.http(request.getURI().toString(), methodName, responseStatusCode);
+        Breadcrumb.http(url, methodName, responseStatusCode);
     breadcrumb.setData("request_body_size", body.length);
 
     final Hint hint = new Hint();
diff --git a/sentry-spring/src/main/java/io/sentry/spring/tracing/SentrySpanClientHttpRequestInterceptor.java b/sentry-spring/src/main/java/io/sentry/spring/tracing/SentrySpanClientHttpRequestInterceptor.java
@@ -14,6 +14,7 @@
 import io.sentry.SpanStatus;
 import io.sentry.util.Objects;
 import io.sentry.util.PropagationTargetsUtils;
+import io.sentry.util.UrlUtils;
 import java.io.IOException;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
@@ -47,7 +48,10 @@ public SentrySpanClientHttpRequestInterceptor(final @NotNull IHub hub) {
       final ISpan span = activeSpan.startChild("http.client");
       final String methodName =
           request.getMethod() != null ? request.getMethod().name() : "unknown";
-      span.setDescription(methodName + " " + request.getURI());
+      final @NotNull String url =
+          UrlUtils.maybeStripSensitiveDataFromUrl(
+              request.getURI().toString(), hub.getOptions().isSendDefaultPii());
+      span.setDescription(methodName + " " + url);
 
       final SentryTraceHeader sentryTraceHeader = span.toSentryTrace();
 
@@ -88,8 +92,10 @@ private void addBreadcrumb(
       final @Nullable ClientHttpResponse response) {
     final String methodName = request.getMethod() != null ? request.getMethod().name() : "unknown";
 
-    final Breadcrumb breadcrumb =
-        Breadcrumb.http(request.getURI().toString(), methodName, responseStatusCode);
+    final @NotNull String url =
+        UrlUtils.maybeStripSensitiveDataFromUrl(
+            request.getURI().toString(), hub.getOptions().isSendDefaultPii());
+    final Breadcrumb breadcrumb = Breadcrumb.http(url, methodName, responseStatusCode);
     breadcrumb.setData("request_body_size", body.length);
 
     final Hint hint = new Hint();
diff --git a/sentry/api/sentry.api b/sentry/api/sentry.api
@@ -3379,6 +3379,12 @@ public final class io/sentry/util/StringUtils {
 	public static fun removeSurrounding (Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
 }
 
+public final class io/sentry/util/UrlUtils {
+	public fun <init> ()V
+	public static fun maybeStripSensitiveDataFromUrl (Ljava/lang/String;Z)Ljava/lang/String;
+	public static fun maybeStripSensitiveDataFromUrlNullable (Ljava/lang/String;Z)Ljava/lang/String;
+}
+
 public class io/sentry/vendor/Base64 {
 	public static final field CRLF I
 	public static final field DEFAULT I
diff --git a/sentry/src/main/java/io/sentry/util/UrlUtils.java b/sentry/src/main/java/io/sentry/util/UrlUtils.java
@@ -0,0 +1,47 @@
+package io.sentry.util;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+public final class UrlUtils {
+
+  private static final @NotNull Pattern USER_INFO_REGEX = Pattern.compile("(.+://)(.*@)(.*)");
+  private static final @NotNull Pattern TOKEN_REGEX = Pattern.compile("(.*)([?&]token=[^&#]+)(.*)");
+
+  public static @Nullable String maybeStripSensitiveDataFromUrlNullable(
+      final @Nullable String url, final boolean isSendDefaultPii) {
+    if (url == null) {
+      return null;
+    }
+
+    return maybeStripSensitiveDataFromUrl(url, isSendDefaultPii);
+  }
+
+  public static @NotNull String maybeStripSensitiveDataFromUrl(
+      final @NotNull String url, final boolean isSendDefaultPii) {
+    if (isSendDefaultPii) {
+      return url;
+    }
+
+    @NotNull String modifiedUrl = url;
+
+    Matcher userInfoMatcher = USER_INFO_REGEX.matcher(modifiedUrl);
+    if (userInfoMatcher.matches() && userInfoMatcher.groupCount() == 3) {
+      final @NotNull String userInfoString = userInfoMatcher.group(2);
+      final @NotNull String replacementString = userInfoString.contains(":") ? "%s:%s@" : "%s@";
+      modifiedUrl = userInfoMatcher.group(1) + replacementString + userInfoMatcher.group(3);
+    }
+
+    Matcher tokenMatcher = TOKEN_REGEX.matcher(modifiedUrl);
+    if (tokenMatcher.matches() && tokenMatcher.groupCount() == 3) {
+      final @NotNull String tokenString = tokenMatcher.group(2);
+      final @NotNull String queryParamSeparator = tokenString.substring(0, 1);
+      modifiedUrl =
+          tokenMatcher.group(1) + queryParamSeparator + "token=%s" + tokenMatcher.group(3);
+    }
+
+    return modifiedUrl;
+  }
+}
diff --git a/sentry/src/test/java/io/sentry/util/UrlUtilsTest.kt b/sentry/src/test/java/io/sentry/util/UrlUtilsTest.kt
@@ -0,0 +1,68 @@
+package io.sentry.util
+
+import kotlin.test.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertNull
+
+class UrlUtilsTest {
+
+    @Test
+    fun `returns null for null`() {
+        assertNull(UrlUtils.maybeStripSensitiveDataFromUrlNullable(null, false))
+    }
+
+    @Test
+    fun `keeps sensitive data if sendDefaultPii is true`() {
+        assertEquals("https://user:password@sentry.io?q=1&s=2&token=secret#top", UrlUtils.maybeStripSensitiveDataFromUrl("https://user:password@sentry.io?q=1&s=2&token=secret#top", true))
+    }
+
+    @Test
+    fun `strips user info with user and password`() {
+        assertEquals("http://%s:%s@sentry.io", UrlUtils.maybeStripSensitiveDataFromUrl("http://user:password@sentry.io", false))
+    }
+
+    @Test
+    fun `strips user info with user and password from https`() {
+        assertEquals("https://%s:%s@sentry.io", UrlUtils.maybeStripSensitiveDataFromUrl("https://user:password@sentry.io", false))
+    }
+
+    @Test
+    fun `strips user info with user only`() {
+        assertEquals("http://%s@sentry.io", UrlUtils.maybeStripSensitiveDataFromUrl("http://user@sentry.io", false))
+    }
+
+    @Test
+    fun `strips user info with user only from https`() {
+        assertEquals("https://%s@sentry.io", UrlUtils.maybeStripSensitiveDataFromUrl("https://user@sentry.io", false))
+    }
+
+    @Test
+    fun `strips token from query params as first param`() {
+        assertEquals("https://sentry.io?token=%s", UrlUtils.maybeStripSensitiveDataFromUrl("https://sentry.io?token=secret", false))
+    }
+
+    @Test
+    fun `strips token from query params as later param`() {
+        assertEquals("https://sentry.io?q=1&s=2&token=%s", UrlUtils.maybeStripSensitiveDataFromUrl("https://sentry.io?q=1&s=2&token=secret", false))
+    }
+
+    @Test
+    fun `strips token from query params as first param and keeps anchor`() {
+        assertEquals("https://sentry.io?token=%s#top", UrlUtils.maybeStripSensitiveDataFromUrl("https://sentry.io?token=secret#top", false))
+    }
+
+    @Test
+    fun `strips token from query params as later param and keeps anchor`() {
+        assertEquals("https://sentry.io?q=1&s=2&token=%s#top", UrlUtils.maybeStripSensitiveDataFromUrl("https://sentry.io?q=1&s=2&token=secret#top", false))
+    }
+
+    @Test
+    fun `strips token from query params after anchor`() {
+        assertEquals("https://api.github.com/users/getsentry/repos/#fragment?token=%s", UrlUtils.maybeStripSensitiveDataFromUrl("https://api.github.com/users/getsentry/repos/#fragment?token=query", false))
+    }
+
+    @Test
+    fun `strips token from query params after anchor with &`() {
+        assertEquals("https://api.github.com/users/getsentry/repos/#fragment?q=1&token=%s", UrlUtils.maybeStripSensitiveDataFromUrl("https://api.github.com/users/getsentry/repos/#fragment?q=1&token=query", false))
+    }
+}
