SanitizeData not sanitizing properly when value is a Hash

[ericproulx]

Hi,

We have a RoR app and our sentry is configure like this :

Raven.configure do |config|
  config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s)
end

A classic :)

Unfortunately, when dealing with a sanitize_field that has a Hash for value, the code isn't ` sanitizing it properly.

Here's a spec that currently fails :

describe Raven::Processor::SanitizeData do
  before do
    config = Struct.new(:sanitize_fields, :sanitize_credit_cards, :sanitize_fields_excluded).new([], true, [])
    client = Struct.new(:configuration).new(config)
    @processor = Raven::Processor::SanitizeData.new(client)
  end

  it 'should filter http data' do
    @processor.sanitize_fields = ['password']

    data = {
      'sentry.interfaces.Http' => {
        'data' => {
          'foo' => 'bar',
          'password' => {
            'new' => 'test'
          }
        }
      }
    }

    result = @processor.process(data)
    vars = result["sentry.interfaces.Http"]["data"]
    expect(vars["password"]).to eq(Raven::Processor::SanitizeData::STRING_MASK)
  end
end

I did compare with RoR filtering and it works as expected.

# Rails.application.config.filter_parameters+= [:password]
f = ActionDispatch::Http::ParameterFilter.new(Rails.application.config.filter_parameters)
f.filter :password => {:new => "4111111111111111"}
# gives    { :password => "[FILTERED]"}

Based on def process in raven/processor/sanitizedata.rb, you could add a simple return when value is a Hash

def process(value, key = nil)
      case value
        when Hash
        return STRING_MASK if key =~ fields_re  # this line solves the problem
        !value.frozen? ? value.merge!(value) { |k, v| process v, k } : value.merge(value) { |k, v| process v, k }
 ...

Thanks and keep on the good work :)

[st0012]

@ericproulx thanks for the detailed description! I have added a fix for this in #984