Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

withSentry in nextjs can not be configured to scrub cookies (sensitive data)

See original GitHub issue

Problem Statement

All I want is to scrub certain (or all) cookies from the events sent to Sentry. Basic data scrubbing of sensitive fields.

The beforeSend hook is never called. Don’t know why, but I saw in the code that the beforeSend hook is not called when the event type is transaction, and all events I see go through the sentry code are transactions.

I’m using withSentry from the @sentry/nextjs package, which internally calls parseRequest that’s responsible for extracting the relevant sensitive data from the request. The parseRequest function accepts (optional) options, that AFAICS can be used to limit what keys are extracted from the request (defaults include cookies). The withSentry function however does not allow passing any options to parseRequest.

Solution Brainstorm

Allow options to be passed to withSentry to allow it to override what keys are extracted by extractRequestData. The requestHandler function can be configured in such a way, for example.

Or provide a hook that’s called on /all/ events before they are sent to Sentry, not just some.

Issue Analytics

State:
Created 2 years ago
Reactions:2
Comments:9 (5 by maintainers)

Top GitHub Comments

3reactions

wereHamstercommented, Mar 18, 2022

Couldn’t get it to work with the global event processor, but this appears to work (uses the same means to add the event processor as the code in withSentry, getCurrentHub().currentScope().addEventProcessor()):

/**
 * A wrapper around Sentry.withSentry() that removes sensitive data (cookies)
 * from the event.
 *
 * Update this function once there is a nicer way to do that.
 * https://github.com/getsentry/sentry-javascript/issues/4723.
 */
export const withSentry = (origHandler: NextApiHandler): WrappedNextApiHandler => {
  function sanitizeEvent(event: Sentry.Event) {
    if (event.request) {
      delete event.request.cookies;
      delete event.request.headers;
    }

    return event;
  }

  return Sentry.withSentry((req, res) => {
    Sentry.getCurrentHub().getScope()?.addEventProcessor(sanitizeEvent);
    return origHandler(req, res);
  });
};

0reactions

lobsterkatiecommented, Nov 30, 2022

Actually, you can prevent the data from being attached in the first place using the RequestData integration. (You’re making me realize that though I added it to the node docs, I also need to add it to the browser docs for platforms which are frontend-backend combos (like nextjs). I’ll do that (update: done). In the meantime, see https://docs.sentry.io/platforms/node/configuration/integrations/default-integrations/#requestdata (and the Modifying System Integrations section below it).)

TL;DR, you’re going to want to do something like this in your sentry.server.config.js:

import { Integrations } from '@sentry/nextjs';
const { RequestData } = Integrations

Sentry.init({
  integrations: [ new RequestData({
    include: {
      cookies: false,
    },
  })],
});