Fix remove route params from txn context, as they may leak PII data (#3487)

Author: markushi

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## Unreleased
+
+### Fixes
+
+- Stop sending navigation route params for auto-generated transactions, as they may contain PII or other sensitive data ([#3487](https://github.com/getsentry/sentry-react-native/pull/3487))
+  - Further details and other strategies to mitigate this issue can be found on our [trouble shooting guide page](https://docs.sentry.io/platforms/react-native/troubleshooting/#routing-transaction-data-contains-sensitive-information)
+
 ## 5.15.1
 
 ### Fixes

src/js/tracing/reactnavigation.ts

@@ -196,14 +196,16 @@ export class ReactNavigationInstrumentation extends InternalRoutingInstrumentati
             route: {
               name: route.name,
               key: route.key,
-              params: route.params ?? {},
+              // TODO: filter PII params instead of dropping them all
+              params: {},
               hasBeenSeen: routeHasBeenSeen,
             },
             previousRoute: previousRoute
               ? {
                   name: previousRoute.name,
                   key: previousRoute.key,
-                  params: previousRoute.params ?? {},
+                  // TODO: filter PII params instead of dropping them all
+                  params: {},
                 }
               : null,
           };

src/js/tracing/reactnavigationv4.ts

@@ -264,14 +264,16 @@ class ReactNavigationV4Instrumentation extends InternalRoutingInstrumentation {
       route: {
         name: route.routeName, // Include name here too for use in `beforeNavigate`
         key: route.key,
-        params: route.params ?? {},
+        // TODO: filter PII params instead of dropping them all
+        params: {},
         hasBeenSeen: this._recentRouteKeys.includes(route.key),
       },
       previousRoute: previousRoute
         ? {
             name: previousRoute.routeName,
             key: previousRoute.key,
-            params: previousRoute.params ?? {},
+            // TODO: filter PII params instead of dropping them all
+            params: {},
           }
         : null,
     };

test/tracing/reactnavigation.test.ts

@@ -123,7 +123,7 @@ describe('ReactNavigationInstrumentation', () => {
           route: {
             name: route.name,
             key: route.key,
-            params: route.params,
+            params: {}, // expect the data to be stripped
             hasBeenSeen: false,
           },
           previousRoute: {

test/tracing/reactnavigationv4.test.ts

@@ -119,7 +119,7 @@ describe('ReactNavigationV4Instrumentation', () => {
       route: {
         name: firstRoute.routeName,
         key: firstRoute.key,
-        params: firstRoute.params,
+        params: {}, // expect the data to be stripped
         hasBeenSeen: false,
       },
       previousRoute: null,
@@ -169,15 +169,13 @@ describe('ReactNavigationV4Instrumentation', () => {
         route: {
           name: action.routeName,
           key: action.key,
-          params: action.params,
+          params: {}, // expect the data to be stripped
           hasBeenSeen: false,
         },
         previousRoute: {
           name: 'Initial Route',
           key: 'route0',
-          params: {
-            hello: true,
-          },
+          params: {}, // expect the data to be stripped
         },
       },
     });
@@ -230,15 +228,13 @@ describe('ReactNavigationV4Instrumentation', () => {
         route: {
           name: action.routeName,
           key: action.key,
-          params: action.params,
+          params: {}, // expect the data to be stripped
           hasBeenSeen: false,
         },
         previousRoute: {
           name: 'Initial Route',
           key: 'route0',
-          params: {
-            hello: true,
-          },
+          params: {}, // expect the data to be stripped
         },
       },
       sampled: false,