Skip to content

feat: parse request body for outgoing http#1339

Open
giortzisg wants to merge 3 commits into
feat/sensitive-grpcfrom
feat/sensitive-outgoing-http
Open

feat: parse request body for outgoing http#1339
giortzisg wants to merge 3 commits into
feat/sensitive-grpcfrom
feat/sensitive-outgoing-http

Conversation

@giortzisg

@giortzisg giortzisg commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Description

This adds request and response parsing for outgoing http client spans.

Issues

Changelog Entry Instructions

To add a custom changelog entry, uncomment the section above. Supports:

  • Single entry: just write text
  • Multiple entries: use bullet points
  • Nested bullets: indent 4+ spaces

For more details: custom changelog entries

Reminders

Changelog Entry

  • Add ClientOptions.DataCollection for granular control over data collected by automatic instrumentation, replacing the broad SendDefaultPII switch. DataCollection can independently configure automatic user.* population, cookies, request/response headers, HTTP bodies, and query parameters. When configured, it is the source of truth and SendDefaultPII is ignored.
    • For backwards compatibility, clients that do not configure DataCollection keep a best-effort mapping of the previous SendDefaultPII behavior. To opt in to the new defaults, pass an empty DataCollection and then restrict individual categories as needed.
    sentry.Init(sentry.ClientOptions{
    	Dsn: "https://public@example.com/1",
    
    	// Opt in to the new data collection defaults. Omitted fields use their
    	// defaults: user info, cookies, headers, query params, and supported HTTP
    	// bodies are collected, with sensitive values filtered.
    	DataCollection: &sentry.DataCollection{},
    })
    • To opt in while disabling automatic user info and HTTP bodies, configure those fields explicitly:
    sentry.Init(sentry.ClientOptions{
    	Dsn: "https://public@example.com/1",
    	DataCollection: &sentry.DataCollection{
    		UserInfo:   sentry.Set(false),
    		HTTPBodies: []sentry.BodyType{},
    	},
    })

@giortzisg giortzisg force-pushed the feat/sensitive-grpc branch from ed9967f to 753d7fa Compare July 1, 2026 08:44
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Semver Impact of This PR

🟡 Minor (new features)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).


New Features ✨

  • Add ClientOptions.DataCollection for granular control over data collected by automatic instrumentation, replacing the broad SendDefaultPII switch. DataCollection can independently configure automatic user.* population, cookies, request/response headers, HTTP bodies, and query parameters. When configured, it is the source of truth and SendDefaultPII is ignored. by giortzisg in #1339
    • For backwards compatibility, clients that do not configure DataCollection keep a best-effort mapping of the previous SendDefaultPII behavior. To opt in to the new defaults, pass an empty DataCollection and then restrict individual categories as needed.
    sentry.Init(sentry.ClientOptions{
        Dsn: "https://public@example.com/1",
    
        // Opt in to the new data collection defaults. Omitted fields use their
        // defaults: user info, cookies, headers, query params, and supported HTTP
        // bodies are collected, with sensitive values filtered.
        DataCollection: &sentry.DataCollection{},
    })
    • To opt in while disabling automatic user info and HTTP bodies, configure those fields explicitly:
    sentry.Init(sentry.ClientOptions{
        Dsn: "https://public@example.com/1",
        DataCollection: &sentry.DataCollection{
            UserInfo:   sentry.Set(false),
            HTTPBodies: []sentry.BodyType{},
        },
    })
  • PushScope shorthand now returns the new scope reference by DoctorJohn in #1335

Bug Fixes 🐛

  • Isolate event processor across clones by giortzisg in #1337

Internal Changes 🔧

  • Move limited buffer under utils by giortzisg in #1338

🤖 This preview updates automatically when you update the PR.

Comment thread httpclient/sentryhttpclient.go Outdated
@giortzisg giortzisg changed the title ref: move limited buffer under utils (#1338) feat: parse request body for outgoing http Jul 1, 2026
@giortzisg giortzisg force-pushed the feat/sensitive-outgoing-http branch from 197f83e to 5b4b523 Compare July 1, 2026 08:48
Comment thread httpclient/sentryhttpclient.go
@giortzisg giortzisg requested a review from Litarnus July 1, 2026 08:52
Comment thread httpclient/sentryhttpclient.go Outdated

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 52c44a1. Configure here.

Comment thread httpclient/sentryhttpclient_test.go
Comment thread httpclient/sentryhttpclient.go
@giortzisg giortzisg force-pushed the feat/sensitive-grpc branch from 753d7fa to 8bd0126 Compare July 1, 2026 10:10
@giortzisg giortzisg force-pushed the feat/sensitive-outgoing-http branch from dabeae6 to aa6ad61 Compare July 1, 2026 10:10
if !dc.CollectCookies() {
continue
}
value = dc.FilterCookies(strings.Join(values, "; "))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The logic for parsing Set-Cookie headers incorrectly joins multiple headers with "; " and then splits by ;, misinterpreting cookie attributes as cookie names.
Severity: MEDIUM

Suggested Fix

Instead of joining multiple Set-Cookie headers with a semicolon, they should be handled individually. Iterate through the values slice from the header map. For each value (which represents a full Set-Cookie string like session=secret; Path=/), call FilterCookies on it separately and append the results. This will prevent cookie attributes from being incorrectly split and parsed as cookie names.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: httpclient/sentryhttpclient.go#L210

Potential issue: When processing multiple `Set-Cookie` response headers, the code joins
them with `"; "` before parsing. Since individual `Set-Cookie` headers use semicolons to
separate attributes (e.g., `Path`, `HttpOnly`), the subsequent split by `;` in
`FilterCookies` and `parseKeyValueString` causes these attributes to be misinterpreted
as cookie names. This results in corrupted and incorrect
`http.response.header.set-cookie` data on the Sentry span for any standard server
response that includes cookie attributes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant