Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify in configuration.md docs if regexp allowed for scrub_fields #413

Closed
eliotsykes opened this issue Mar 23, 2016 · 10 comments
Closed

Clarify in configuration.md docs if regexp allowed for scrub_fields #413

eliotsykes opened this issue Mar 23, 2016 · 10 comments

Comments

@eliotsykes
Copy link

I'm looking at an app that contains many sensitive fields so I'd like to default to scrubbing all fields as they shouldn't be logged to a 3rd party (no offence intended Rollbar).

Its unclear from the docs (configuration.md) if the scrub_fields config accepts a regex, e.g. its not clear if this would work.

SCRUB_ALL_FIELDS_PATTERN = /.+/
Rollbar.configuration.scrub_fields += [SCRUB_ALL_FIELDS_PATTERN]
@jondeandres
Copy link
Contributor

Hi @eliotsykes, thanks for reaching out.

When we filter the parameters we build a regex in this way:

sensitive_params_regexp = Regexp.new(sensitive_params.map{ |val| Regexp.escape(val.to_s).to_s }.join('|'), true)

So I'd say that regex expressions doesn't work for scrubbing parameters. We have in our roadmap improve this functionality, but I can't tell you right now when that will be ready.

@eliotsykes
Copy link
Author

Thanks for the fast response @jondeandres! Until the feature is added, is there a recommended workaround to prevent all request params from being logged to Rollbar?

@jondeandres
Copy link
Contributor

Hey @eliotsykes, you could monkey patch this method in this module, https://github.com/rollbar/rollbar-gem/blob/master/lib/rollbar/request_data_extractor.rb#L191-L213, so it generates a new Hash with obfuscated values.

I think we should probably make scrubbing more powerful, so thank you for open an issue 😄

@eliotsykes
Copy link
Author

Yep - at the moment this makes it less straightforward to recommend Rollbar to businesses operating under strict PII regulations.

@jondeandres
Copy link
Contributor

@eliotsykes what requirements do you have? We could try to work on this in few days.

@eliotsykes
Copy link
Author

There's many request params (100+) from many forms (and growing) that all contain PII data.

This PII data ought not to be exposed to 3rd parties (including Rollbar). Exception messages are fine as they contain no PII. Its the request params that often contain personally identifiable info (e.g. birthday, financial info, more).

@jondeandres
Copy link
Contributor

aha, what features would you like to have?

  • scrub all params? this can be easily done
  • scrub by regex? this will take a little more time but it's doable

@eliotsykes
Copy link
Author

scrub all params

would be absolutely fine for right now.

jondeandres pushed a commit that referenced this issue Apr 15, 2016
Allow scrub all parameters
6547785 
This PR allows set the `scrub_fields` configuration option to have value
`:scrub_all` so every parameter will be scrubbed.

This is useful if the privacity policy if very heavy.

Closes #413
@jondeandres jondeandres mentioned this issue Apr 15, 2016
Merged
jondeandres pushed a commit that referenced this issue Apr 15, 2016
Allow scrub all parameters
a9fa14a 
This PR allows set the `scrub_fields` configuration option to have value
`:scrub_all` so every parameter will be scrubbed.

This is useful if the privacity policy if very heavy.

Closes #413
@eliotsykes
Copy link
Author

👍 Brilliant, thanks @jondeandres!

@jondeandres
Copy link
Contributor

jondeandres commented Apr 18, 2016
edited
Loading

hey @eliotsykes, we hope your experience with this feature is successful. ping us if you have any problem with something.

btw, we'll release this today or tomorrow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eliotsykes @jondeandres