Implement a Sentry processor to sanitize sensitive data

Issue https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/849

lib/gitlab/error_tracking.rb

@@ -19,7 +19,10 @@ module Gitlab
     PROCESSORS = [
       ::Gitlab::ErrorTracking::Processor::SidekiqProcessor,
       ::Gitlab::ErrorTracking::Processor::GrpcErrorProcessor,
-      ::Gitlab::ErrorTracking::Processor::ContextPayloadProcessor
+      ::Gitlab::ErrorTracking::Processor::ContextPayloadProcessor,
+      # IMPORTANT: this processor must stay at the bottom, right before
+      # sending the event to Sentry.
+      ::Gitlab::ErrorTracking::Processor::SanitizerProcessor
     ].freeze
 
     class << self
@@ -28,14 +31,7 @@ module Gitlab
           config.dsn = sentry_dsn
           config.release = Gitlab.revision
           config.environment = Gitlab.config.sentry.environment
-
-          # Sanitize fields based on those sanitized from Rails.
-          # config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s)
-
-          # Sanitize authentication headers
-          # config.sanitize_http_headers = %w[Authorization Private-Token]
           config.before_send = method(:before_send)
-
           config.background_worker_threads = 0
 
           yield config if block_given?

lib/gitlab/error_tracking/processor/sanitizer_processor.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module ErrorTracking
+    module Processor
+      module SanitizerProcessor
+        SANITIZED_HTTP_HEADERS = %w[Authorization Private-Token].freeze
+        SANITIZED_ATTRIBUTES = %i[user contexts extra tags].freeze
+
+        # This processor removes sensitive fields or headers from the event
+        # before sending Sentry versions above 4.0 don't support
+        # sanitized_fileds and sanitized_http_headers anymore. The official
+        # document recommends using before_send instead.
+        #
+        # For more information, please visit:
+        # https://docs.sentry.io/platforms/ruby/guides/rails/configuration/filtering/#using-beforesend
+        def self.call(event)
+          if event.request.present? && event.request.headers.is_a?(Hash)
+            header_filter = ActiveSupport::ParameterFilter.new(SANITIZED_HTTP_HEADERS)
+            event.request.headers = header_filter.filter(event.request.headers)
+          end
+
+          attribute_filter = ActiveSupport::ParameterFilter.new(Rails.application.config.filter_parameters)
+          SANITIZED_ATTRIBUTES.each do |attribute|
+            event.send("#{attribute}=", attribute_filter.filter(event.send(attribute))) # rubocop:disable GitlabSecurity/PublicSend
+          end
+
+          event
+        end
+      end
+    end
+  end
+end

spec/lib/gitlab/error_tracking/processor/sanitizer_processor_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::ErrorTracking::Processor::SanitizerProcessor do
+  describe '.call' do
+    let(:event) { Sentry.get_current_client.event_from_exception(exception) }
+    let(:result_hash) { described_class.call(event).to_hash }
+
+    before do
+      data.each do |key, value|
+        event.send("#{key}=", value)
+      end
+    end
+
+    after do
+      Sentry.get_current_scope.clear
+    end
+
+    context 'when event attributes contains sensitive information' do
+      let(:exception) { RuntimeError.new }
+      let(:data) do
+        {
+          contexts: {
+            jwt: 'abcdef',
+            controller: 'GraphController#execute'
+          },
+          tags: {
+            variables: %w[some sensitive information'],
+            deep_hash: {
+              sharedSecret: 'secret123'
+            }
+          },
+          user: {
+            email: 'a@a.com',
+            password: 'nobodyknows'
+          },
+          extra: {
+            issue_url: 'http://gitlab.com/gitlab-org/gitlab-foss/-/issues/1',
+            my_token: '[FILTERED]',
+            another_token: '[FILTERED]'
+          }
+        }
+      end
+
+      it 'filters sensitive attributes' do
+        expect_next_instance_of(ActiveSupport::ParameterFilter) do |instance|
+          expect(instance).to receive(:filter).exactly(4).times.and_call_original
+        end
+
+        expect(result_hash).to include(
+          contexts: {
+            jwt: '[FILTERED]',
+            controller: 'GraphController#execute'
+          },
+          tags: {
+            variables: '[FILTERED]',
+            deep_hash: {
+              sharedSecret: '[FILTERED]'
+            }
+          },
+          user: {
+            email: 'a@a.com',
+            password: '[FILTERED]'
+          },
+          extra: {
+            issue_url: 'http://gitlab.com/gitlab-org/gitlab-foss/-/issues/1',
+            my_token: '[FILTERED]',
+            another_token: '[FILTERED]'
+          }
+        )
+      end
+    end
+
+    context 'when request headers contains sensitive information' do
+      let(:exception) { RuntimeError.new }
+      let(:data) { {} }
+
+      before do
+        event.rack_env = {
+          'HTTP_AUTHORIZATION' => 'Bearer 123456',
+          'HTTP_PRIVATE_TOKEN' => 'abcdef',
+          'HTTP_GITLAB_WORKHORSE_PROXY_START' => 123456
+        }
+      end
+
+      it 'filters sensitive headers' do
+        expect(result_hash[:request][:headers]).to include(
+          'Authorization' => '[FILTERED]',
+          'Private-Token' => '[FILTERED]',
+          'Gitlab-Workhorse-Proxy-Start' => '123456'
+        )
+      end
+    end
+  end
+end