We want to add sanitize_field_names to central config: #318
This is a setting that affects the security of the application so we want it to be aligned across agents and available in central config. This ensures that if information is leaking, it's quick and easy to update the sanitization logic across all agents.
This is the current state for our agents
| Agent | Applies to | Matching | Default |
|----------|------------|----------|---------|
| Python | stacktrace locals, cookies, headers, wsgi_env, querystring, request body (depending on processors)| contains? | authorization, password, secret, passwd, token, api_key, access_token, sessionid |
| Node.js | n/a | n/a | n/a |
| Ruby | HTTP headers and bodies | wildcard | password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie (from 4.0 released before or around 7.11) |
| Java | HTTP headers, cookies, and POST form fields | wildcard | password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie |
| Go | HTTP headers, cookies, and POST form fields | wildcard | password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie |
| .NET | HTTP headers, cookies, and POST form fields | wildcard | password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie |
| Summary: |
|
|---|---|
| Agent |Align sanitize_field_names option + central config |
|---|---:|
| Java |
|
| dot-net |
|
| Go |
|
| PHP |
|
| Ruby |
|
| NodeJS |
|
| Python |
|
Ruby's [] is equivalent to "", the empty string is just converted to an empty array. However, a bunch of filters are provided as defaults in https://github.com/elastic/apm-agent-ruby/blob/69d78f1ae30beb2629730e623ac19cf7265484e5/lib/elastic_apm/transport/filters/hash_sanitizer.rb#L26-L40. There's no provided method of turning them off.
Similarly the Node.js agent uses this https://github.com/watson/redact-secrets here https://github.com/elastic/apm-agent-nodejs/blob/68b50f6d1f66684bb77621d2b27d044b9994b36f/lib/filters/http-headers.js.
Would it be feasible for the Python, Ruby, and Node.js agents to align with the rest?
*hides*
Fine with me 馃憤. Seems like something we could soft-deprecate and keep the fallback until next major.
No advantage in being the earliest agents anymore, I see that 馃槈
Yes, python can align without even needing to follow a deprecation path, since the other agents have a superset of exclusions compared to us.
Ok, that was easier than I thought 馃檪
@basepi @mikker could you create implementation issues?
Superseded by #334
Reopening to track the meta status of this
Most helpful comment
No advantage in being the earliest agents anymore, I see that 馃槈