Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Align sanitize_field_names option + central config #319

Closed
felixbarny opened this issue Aug 14, 2020 · 11 comments · Fixed by #334
Closed

Align sanitize_field_names option + central config #319

felixbarny opened this issue Aug 14, 2020 · 11 comments · Fixed by #334

Comments

@felixbarny
Copy link
Member

felixbarny commented Aug 14, 2020

We want to add sanitize_field_names to central config: #318

This is a setting that affects the security of the application so we want it to be aligned across agents and available in central config. This ensures that if information is leaking, it's quick and easy to update the sanitization logic across all agents.

This is the current state for our agents

Agent Applies to Matching Default
Python stacktrace locals, cookies, headers, wsgi_env, querystring, request body (depending on processors) contains? authorization, password, secret, passwd, token, api_key, access_token, sessionid
Node.js n/a n/a n/a
Ruby HTTP headers and bodies wildcard password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie (from 4.0 released before or around 7.11)
Java HTTP headers, cookies, and POST form fields wildcard password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie
Go HTTP headers, cookies, and POST form fields wildcard password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie
.NET HTTP headers, cookies, and POST form fields wildcard password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie

Status

Summary: custom ep custom ep custom ep
Agent Align sanitize_field_names option + central config
Java issue details issue details
dot-net issue details issue details
Go issue details issue details
PHP issue details issue details
Ruby issue details issue details
NodeJS issue details issue details
Python issue details issue details issue details issue details
@mikker
Copy link
Contributor

mikker commented Aug 18, 2020

Ruby's [] is equivalent to "", the empty string is just converted to an empty array. However, a bunch of filters are provided as defaults in https://github.com/elastic/apm-agent-ruby/blob/69d78f1ae30beb2629730e623ac19cf7265484e5/lib/elastic_apm/transport/filters/hash_sanitizer.rb#L26-L40. There's no provided method of turning them off.

@mikker
Copy link
Contributor

mikker commented Aug 18, 2020

Similarly the Node.js agent uses this https://github.com/watson/redact-secrets here https://github.com/elastic/apm-agent-nodejs/blob/68b50f6d1f66684bb77621d2b27d044b9994b36f/lib/filters/http-headers.js.

@felixbarny
Copy link
Member Author

Would it be feasible for the Python, Ruby, and Node.js agents to align with the rest?

*hides*

@mikker
Copy link
Contributor

mikker commented Aug 18, 2020

Fine with me 👍. Seems like something we could soft-deprecate and keep the fallback until next major.

@mikker
Copy link
Contributor

mikker commented Aug 18, 2020

No advantage in being the earliest agents anymore, I see that 😉

@basepi
Copy link
Contributor

basepi commented Aug 18, 2020

Yes, python can align without even needing to follow a deprecation path, since the other agents have a superset of exclusions compared to us.

@felixbarny
Copy link
Member Author

Ok, that was easier than I thought 🙂

@basepi @mikker could you create implementation issues?

@basepi
Copy link
Contributor

basepi commented Aug 18, 2020

@felixbarny
Copy link
Member Author

Superseded by #334

@AlexanderWert
Copy link
Member

Reopening to track the meta status of this

@AlexanderWert
Copy link
Member

Closing: Implemented in all Agents.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants