cookie scrubbing

Author: mitchellhenke

lib/sentry/plug.ex

@@ -68,9 +68,15 @@ if Code.ensure_loaded?(Plug) do
 
         use Sentry.Plug, header_scrubber: {MyModule, :scrub_headers}
 
-    To configure scrubbing body and header data, we can set both configuration keys:
+    ### Cookie Scrubber
 
-        use Sentry.Plug, header_scrubber: &scrub_headers/1, body_scrubber: &scrub_params/1
+    By default Sentry will scrub all cookies before sending events.
+    It can be configured similarly to the headers scrubber, but is configured with the `:cookie_scrubber` key.
+
+    To configure scrubbing, we can set all configuration keys:
+
+    use Sentry.Plug, header_scrubber: &scrub_headers/1,
+      body_scrubber: &scrub_params/1, cookie_scrubber: &scrub_cookies/1
 
     ### Including Request Identifiers
 
@@ -89,6 +95,7 @@ if Code.ensure_loaded?(Plug) do
       body_scrubber = Keyword.get(env, :body_scrubber, {__MODULE__, :default_body_scrubber})
 
       header_scrubber = Keyword.get(env, :header_scrubber, {__MODULE__, :default_header_scrubber})
+      cookie_scrubber = Keyword.get(env, :cookie_scrubber, {__MODULE__, :default_cookie_scrubber})
 
       request_id_header = Keyword.get(env, :request_id_header)
 
@@ -109,6 +116,7 @@ if Code.ensure_loaded?(Plug) do
           opts = [
             body_scrubber: unquote(body_scrubber),
             header_scrubber: unquote(header_scrubber),
+            cookie_scrubber: unquote(cookie_scrubber),
             request_id_header: unquote(request_id_header)
           ]
 
@@ -130,6 +138,7 @@ if Code.ensure_loaded?(Plug) do
     def build_request_interface_data(%Plug.Conn{} = conn, opts) do
       body_scrubber = Keyword.get(opts, :body_scrubber)
       header_scrubber = Keyword.get(opts, :header_scrubber)
+      cookie_scrubber = Keyword.get(opts, :cookie_scrubber)
       request_id = Keyword.get(opts, :request_id_header) || @default_plug_request_id_header
 
       conn =
@@ -141,7 +150,7 @@ if Code.ensure_loaded?(Plug) do
         method: conn.method,
         data: handle_data(conn, body_scrubber),
         query_string: conn.query_string,
-        cookies: conn.req_cookies,
+        cookies: handle_data(conn, cookie_scrubber),
         headers: handle_data(conn, header_scrubber),
         env: %{
           "REMOTE_ADDR" => remote_address(conn.remote_ip),
@@ -171,6 +180,11 @@ if Code.ensure_loaded?(Plug) do
       fun.(conn)
     end
 
+    @spec default_cookie_scrubber(Plug.Conn.t()) :: map()
+    def default_cookie_scrubber(_conn) do
+      %{}
+    end
+
     @spec default_header_scrubber(Plug.Conn.t()) :: map()
     def default_header_scrubber(conn) do
       Enum.into(conn.req_headers, %{})

test/plug_test.exs

@@ -169,4 +169,45 @@ defmodule Sentry.PlugTest do
       |> Sentry.ExampleApp.call([])
     end)
   end
+
+  test "default cookie scrubbing" do
+    bypass = Bypass.open()
+
+    Bypass.expect(bypass, fn conn ->
+      {:ok, body, conn} = Plug.Conn.read_body(conn)
+      json = Poison.decode!(body)
+      assert json["request"]["cookies"] == %{}
+      Plug.Conn.resp(conn, 200, ~s<{"id": "340"}>)
+    end)
+
+    modify_env(:sentry, dsn: "http://public:secret@localhost:#{bypass.port}/1")
+
+    assert_raise(RuntimeError, "Error", fn ->
+      conn(:get, "/error_route")
+      |> put_req_cookie("cookie_key", "cookie_value")
+      |> Sentry.ExampleApp.call([])
+    end)
+  end
+
+  test "custom cookie scrubbing" do
+    conn =
+      conn(:get, "/error_route")
+      |> put_req_cookie("cookie_key", "cookie_value")
+      |> put_req_cookie("cookie_key2", "cookie_value2")
+      |> put_req_cookie("secret", "value")
+
+    request_data =
+      Sentry.Plug.build_request_interface_data(
+        conn,
+        cookie_scrubber: fn(conn) ->
+          conn.req_cookies
+          |> Map.take(["cookie_key", "cookie_key2"])
+        end
+      )
+
+    assert request_data[:cookies] == %{
+      "cookie_key" => "cookie_value",
+      "cookie_key2" => "cookie_value2"
+    }
+  end
 end

test/support/test_plug.ex

@@ -1,8 +1,7 @@
 defmodule Sentry.ExampleApp do
   use Plug.Router
   use Plug.ErrorHandler
-  use Sentry.Plug, request_id_header: "x-request-id"
-
+  use Sentry.Plug, request_id_header: "x-request-id", cookie_scrubber: &Sentry.ExampleApp.allow_all_cookie_scrubber/1
 
   plug Plug.Parsers, parsers: [:multipart]
   plug Plug.RequestId
@@ -31,4 +30,8 @@ defmodule Sentry.ExampleApp do
     _ = conn
     raise RuntimeError, "Error"
   end
+
+  def all_cookie_scrubber(conn) do
+    conn.req_cookies
+  end
 end