PII Scrubbing usernames from paths for Attachments / Minidumps not working

[gid-sentry]

Scrubbing seems to work for both attachment and event field for native crash events sent to /minidump endpoint via curl command.

Scrubbing does not work for "mannually" constructed event. Example:

void SendEventToSenty(const std::string& minidumpPath)
{
    sentry_options_t* options = sentry_options_new();
    sentry_options_set_dsn(options, "DSN");
    sentry_options_set_database_path(options, "c:\\temp\\sentry-db");
    sentry_options_set_release(options, "My_Minidump");
    sentry_options_set_debug(options, 1);
    
    sentry_options_add_attachment(options, minidumpPath.c_str());
    sentry_options_add_attachment(options,"c:\\temp\\logfile.txt");
   
    gMinidumpPath = new std::string(minidumpPath);
    sentry_init(options);

    sentry_value_t event = sentry_value_new_message_event(
        SENTRY_LEVEL_ERROR,
        "pii-test2",
        "PII test2"
    );
   
    sentry_capture_event(event);
    sentry_close();
}

Example links in Customer Case

[#4351 fix(pii): Fix scrubbing user paths in minidump debug modules](#4351)

did not fix it unfortunately

[gid-sentry]

Linked customer case https://www.notion.so/sentry/PII-Scrubbing-not-working-for-minidumps-attachments-in-events-created-via-native-sdk-1588b10e4b5d80cca407feef2663d0eb

[jjbayer]

• PII scrubbing in minidumps had a bug that prevented user paths from being scrubbed, that should be fixed by fix(pii): Fix scrubbing user paths in minidump debug modules #4351.
• Unlike what the docs imply, we do not scrub attachments other than minidumps. I will discuss with the team whether we can enable scrubbing for any attachment type, at least as a beta.
• Attaching the minidump via add_attachment does not work because it will be treated as a regular attachment with attachment type event.attachment (see above). Minidump attachments require attachment type event.minidump.

I will keep this issue open because we need to at least improve our docs around this topic.

[jjbayer]

Query to surface PII rules with $attachments.'some_file': https://redash.getsentry.net/queries/7999/

[jjbayer]

Limited attachment scrubbing is now enabled and documented here: https://docs.sentry.io/security-legal-pii/scrubbing/attachment-scrubbing/#attachment-source-selectors

@gid-sentry feel free to reopen if any users still encounter issues.

[MindWrapper]

Using the code example above, I uploaded an event logfile. txt attached with the following content.

Alice Johnson
[email protected] 
+1234567890
4111 1111 1111 1111
Bob Smith [email protected] +9876543210 5500 0000 0000 0004
Charlie Brown [email protected] +1928374650 3782 822463 10005
Dana White [email protected] +1029384756 6011 0009 9013 9424
path=c:\Users\yan\mylogfile.txt
password=mysupersecretpassword123

The masking rule is defined like this:

[Mask] [Email addresses] from [$attachments.'logfile.txt']

logfile.txt attached to an event is not scrubbed:
(it also doesn't work for a minidump, but I guess it is the same problem)

[jjbayer]

@MindWrapper thank you for the report, I will try to reproduce & get back to you.

[jjbayer]

This PR should fix the use case above, I will roll it out on Monday at the latest: #4441

[jjbayer]

@MindWrapper the fix is deployed now, let me know if it works for you!

[MindWrapper]

Hey @jjbayer, thank you very much for the fix. It works as expected.