Apm: Align sanitize_field_names option + central config

Created on 14 Aug 2020  路  10Comments  路  Source: elastic/apm

We want to add sanitize_field_names to central config: #318

This is a setting that affects the security of the application so we want it to be aligned across agents and available in central config. This ensures that if information is leaking, it's quick and easy to update the sanitization logic across all agents.

This is the current state for our agents

| Agent | Applies to | Matching | Default |
|----------|------------|----------|---------|
| Python | stacktrace locals, cookies, headers, wsgi_env, querystring, request body (depending on processors)| contains? | authorization, password, secret, passwd, token, api_key, access_token, sessionid |
| Node.js | n/a | n/a | n/a |
| Ruby | HTTP headers and bodies | wildcard | password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie (from 4.0 released before or around 7.11) |
| Java | HTTP headers, cookies, and POST form fields | wildcard | password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie |
| Go | HTTP headers, cookies, and POST form fields | wildcard | password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie |
| .NET | HTTP headers, cookies, and POST form fields | wildcard | password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, authorization, set-cookie |

Status

| Summary: | custom ep custom ep custom ep|
|---|---|

| Agent |Align sanitize_field_names option + central config |
|---|---:|
| Java | issue details issue details|
| dot-net | issue details issue details|
| Go |issue details issue details|
| PHP | issue details issue details|
| Ruby | issue details issue details|
| NodeJS | issue details issue details|
| Python | issue details issue details issue details issue details|

meta apm-agents :CentralManagement

Most helpful comment

No advantage in being the earliest agents anymore, I see that 馃槈

All 10 comments

Ruby's [] is equivalent to "", the empty string is just converted to an empty array. However, a bunch of filters are provided as defaults in https://github.com/elastic/apm-agent-ruby/blob/69d78f1ae30beb2629730e623ac19cf7265484e5/lib/elastic_apm/transport/filters/hash_sanitizer.rb#L26-L40. There's no provided method of turning them off.

Would it be feasible for the Python, Ruby, and Node.js agents to align with the rest?

*hides*

Fine with me 馃憤. Seems like something we could soft-deprecate and keep the fallback until next major.

No advantage in being the earliest agents anymore, I see that 馃槈

Yes, python can align without even needing to follow a deprecation path, since the other agents have a superset of exclusions compared to us.

Ok, that was easier than I thought 馃檪

@basepi @mikker could you create implementation issues?

Superseded by #334

Reopening to track the meta status of this

Was this page helpful?
0 / 5 - 0 ratings

Related issues

beniwohli picture beniwohli  路  9Comments

roncohen picture roncohen  路  3Comments

axw picture axw  路  11Comments

alvarolobato picture alvarolobato  路  9Comments

felixbarny picture felixbarny  路  10Comments