HTTP client transactions not filtering out bearer tokens?

[danpaul88]

I've noticed recently some examples of HTTP client instrumentation seemingly including bearer tokens in the instrumentation envelope being sent to Sentry - is this expected behaviour? Typically I'd have expected sensitive information such as authorization headers to be stripped before being sent to Sentry.

Worth noting that we're using Sentry.OpenTelemetry, which may have some bearing on this. I'm not 100% clear on which bits of the transaction information come from Sentry vs OpenTelemetry, so if this is better aimed at the OTel repo let me know :)

An example captured from the Debug option in Sentry (with the actual token masked out manually);

{
  "sdk": {
    "name": "sentry.dotnet",
    "version": "3.41.4"
  },
  "event_id": "96aad623f38f464aa02265a7604e6ba1",
  "trace": {
    "trace_id": "7a9ea39f1bee85d073c436c10cd4ae3c",
    "public_key": "91ed168e5a154d8c945abaf12489829f",
    "sampled": "true",
    "sample_rate": "1",
    "release": "[email protected]",
    "environment": "Development",
    "transaction": "FormatHttpResponse"
  },
  "sent_at": "2024-06-10T07:19:07.2654227+00:00"
}
{
  "type": "transaction",
  "length": 4313
}
{
  "type": "transaction",
  "event_id": "96aad623f38f464aa02265a7604e6ba1",
  "platform": "csharp",
  "release": "[email protected]",
  "transaction": "Format HTTP Response",
  "transaction_info": {
    "source": "custom"
  },
  "start_timestamp": "2024-06-10T07:19:07.1636623+00:00",
  "timestamp": "2024-06-10T07:19:07.1654395+00:00",
  "request": {
    "env": {
      "REMOTE_ADDR": "::1",
      "SERVER_NAME": "myserver",
      "SERVER_PORT": "5000",
      "SERVER_SOFTWARE": "Kestrel"
    },
    "headers": {
      "Accept": "*/*",
      "Connection": "keep-alive",
      "Host": "localhost:5000",
      "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0",
      "Accept-Encoding": "gzip, deflate, br, zstd",
      "Accept-Language": "en-GB,en;q=0.9,en-US;q=0.8",
      "Authorization": "Bearer [manually masked]",
      "Cache-Control": "max-age=0",
      "Content-Type": "application/json",
      "Origin":"
http: //localhost:5000","Referer":"http://localhost:5000/graphql/static/js/document.1c871ce8.chunk.js","Content-Length":"317","Sec-Fetch-Site":"same-origin","Sec-Fetch-Mode":"cors","Sec-Fetch-Dest":"empty"},"url":"http://localhost:5000/graphql","method":"POST","data":"{}"},"contexts":{"app":{"type":"app","app_start_time":"2024-06-10T07: 14: 53.4874826+00: 00"},"device":{"type":"device","boot_time":"2024-06-01T00: 32: 06.2147946+00: 00"},"os":{"type":"os","raw_description":"Microsoft Windows 10.0.19045"},"otel":{"resource":{"service.name":"mycompany.Api (Development)","service.version":"1.0.0.0","service.instance.id":"bf4b72ab-d47c-450b-814f-9e67ec238b15","telemetry.sdk.name":"opentelemetry","telemetry.sdk.language":"dotnet","telemetry.sdk.version":"1.8.1"}},"runtime":{"type":"runtime","name":".NET","version":"8.0.5","raw_description":".NET 8.0.5","identifier":"win-x64"},"trace":{"type":"trace","span_id":"89cf848242451235","parent_span_id":"a08371edad1e21b2","trace_id":"7a9ea39f1bee85d073c436c10cd4ae3c","op":"FormatHttpResponse","description":"Format HTTP Response","status":"ok"}},"user":{"username":"user.name","email":"[email protected]","ip_address":": : 1"},"environment":"Development","sdk":{"packages":[{"name":"nuget:sentry.dotnet","version":"3.41.4"},{"name":"nuget:Sentry.AspNetCore","version":"3.41.4"}],"name":"sentry.dotnet.aspnetcore","version":"3.41.4"},"breadcrumbs":[{"timestamp":"2024-06-10T07: 19: 00.099Z","type":"http","data":{"url":"
http: //myserver:16002/anApi/V1","method":"GET","status_code":"200"},"category":"http"},{"timestamp":"2024-06-10T07:19:00.158Z","type":"http","data":{"url":"http://myserver:16002/anApi/V1","method":"GET","status_code":"200"},"category":"http"}],"tags":{"TraceIdentifier":"0HN493KB53V4V:00000001"}}

Appreciate some of the versions are a bit old (and updating them might turn out to be the solution) but we're having a battle getting our on-premise Sentry instance updated to a newer version (office politics, not technical) and are stuck on the pre 4.x versions of Sentry in the meantime.

How can I make sure that the Sentry client is masking out the bearer tokens in these transactions before sending them to the Sentry server? Obviously not great from a security perspective to be capturing those in the envelopes :)

[bitsandfoxes]

@jamescrosswell, did you come across this when building out the support?

[jamescrosswell]

It looks like it's just an OpenTelemetry span... the instrumentation under the hood is probably Microsoft or the folks who build the GraphQL library and we're just capturing this and passing it on.

It would be nice to be able to redact sensitive information from OTel spans. I'm not sure if any of the other SDKs are already doing something similar. It looks like it might be part of Sentry Relay but that header, specifically, isn't mentioned in the docs.