getsentry
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎sentry-android-core/proguard-rules.pro‎
Lines changed: 3 additions & 0 deletions b/‎sentry-android-core/proguard-rules.pro‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎sentry-spring-jakarta/src/main/java/io/sentry/spring/jakarta/SentryRequestResolver.java‎
Lines changed: 58 additions & 7 deletions b/‎sentry-spring-jakarta/src/main/java/io/sentry/spring/jakarta/SentryRequestResolver.java‎
Lines changed: 58 additions & 7 deletions
diff --git a/‎sentry-spring-jakarta/src/main/java/io/sentry/spring/jakarta/webflux/SentryRequestResolver.java‎
Lines changed: 13 additions & 4 deletions b/‎sentry-spring-jakarta/src/main/java/io/sentry/spring/jakarta/webflux/SentryRequestResolver.java‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎sentry-spring-jakarta/src/test/kotlin/io/sentry/spring/jakarta/SentrySpringFilterTest.kt‎
Lines changed: 13 additions & 5 deletions b/‎sentry-spring-jakarta/src/test/kotlin/io/sentry/spring/jakarta/SentrySpringFilterTest.kt‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎sentry-spring/src/main/java/io/sentry/spring/SentryRequestResolver.java‎
Lines changed: 58 additions & 7 deletions b/‎sentry-spring/src/main/java/io/sentry/spring/SentryRequestResolver.java‎
Lines changed: 58 additions & 7 deletions
diff --git a/‎sentry-spring/src/main/java/io/sentry/spring/webflux/SentryRequestResolver.java‎
Lines changed: 13 additions & 4 deletions b/‎sentry-spring/src/main/java/io/sentry/spring/webflux/SentryRequestResolver.java‎
Lines changed: 13 additions & 4 deletions
@@ -14,8 +14,12 @@
 
 - Fix timestamps of slow and frozen frames for profiles ([#2584](https://github.com/getsentry/sentry-java/pull/2584))
 - Deprecate reportFullDisplayed in favor of reportFullyDisplayed ([#2585](https://github.com/getsentry/sentry-java/pull/2585))
+- Filter out session cookies sent by Spring and Spring Boot integrations ([#2593](https://github.com/getsentry/sentry-java/pull/2593))
+  - We filter out some common cookies like JSESSIONID
+  - We also read the value from `server.servlet.session.cookie.name` and filter it out
 - No longer send event / transaction to Sentry if `beforeSend` / `beforeSendTransaction` throws ([#2591](https://github.com/getsentry/sentry-java/pull/2591))
 - Add version to sentryClientName used in auth header ([#2596](https://github.com/getsentry/sentry-java/pull/2596))
+- Keep integration names from being obfuscated ([#2599](https://github.com/getsentry/sentry-java/pull/2599))
 
 ### Dependencies
 
 
@@ -29,4 +29,7 @@
 # https://developer.android.com/studio/build/shrink-code#decode-stack-trace
 -keepattributes LineNumberTable,SourceFile
 
+# Keep Classnames for integrations
+-keepnames class * implements io.sentry.IntegrationName
+
 ##---------------End: proguard configuration for android-core  ----------
@@ -2,21 +2,26 @@
 
 import com.jakewharton.nopen.annotation.Open;
 import io.sentry.IHub;
+import io.sentry.SentryLevel;
 import io.sentry.protocol.Request;
 import io.sentry.util.HttpUtils;
 import io.sentry.util.Objects;
 import io.sentry.util.UrlUtils;
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.SessionCookieConfig;
 import jakarta.servlet.http.HttpServletRequest;
+import java.util.Arrays;
 import java.util.Collections;
-import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
 @Open
 public class SentryRequestResolver {
   private final @NotNull IHub hub;
+  private volatile @Nullable List<String> extraSecurityCookies;
 
   public SentryRequestResolver(final @NotNull IHub hub) {
     this.hub = Objects.requireNonNull(hub, "options is required");
@@ -31,27 +36,73 @@ public SentryRequestResolver(final @NotNull IHub hub) {
         UrlUtils.parse(httpRequest.getRequestURL().toString());
     urlDetails.applyToRequest(sentryRequest);
     sentryRequest.setQueryString(httpRequest.getQueryString());
-    sentryRequest.setHeaders(resolveHeadersMap(httpRequest));
+    final @NotNull List<String> additionalSecurityCookieNames =
+        extractSecurityCookieNamesOrUseCached(httpRequest);
+    sentryRequest.setHeaders(resolveHeadersMap(httpRequest, additionalSecurityCookieNames));
 
     if (hub.getOptions().isSendDefaultPii()) {
-      sentryRequest.setCookies(toString(httpRequest.getHeaders("Cookie")));
+      String cookieName = HttpUtils.COOKIE_HEADER_NAME;
+      final @Nullable List<String> filteredHeaders =
+          HttpUtils.filterOutSecurityCookiesFromHeader(
+              httpRequest.getHeaders(cookieName), cookieName, additionalSecurityCookieNames);
+      sentryRequest.setCookies(toString(filteredHeaders));
     }
     return sentryRequest;
   }
 
   @NotNull
-  Map<String, String> resolveHeadersMap(final @NotNull HttpServletRequest request) {
+  Map<String, String> resolveHeadersMap(
+      final @NotNull HttpServletRequest request,
+      final @NotNull List<String> additionalSecurityCookieNames) {
     final Map<String, String> headersMap = new HashMap<>();
     for (String headerName : Collections.list(request.getHeaderNames())) {
       // do not copy personal information identifiable headers
       if (hub.getOptions().isSendDefaultPii() || !HttpUtils.containsSensitiveHeader(headerName)) {
-        headersMap.put(headerName, toString(request.getHeaders(headerName)));
+        final @Nullable List<String> filteredHeaders =
+            HttpUtils.filterOutSecurityCookiesFromHeader(
+                request.getHeaders(headerName), headerName, additionalSecurityCookieNames);
+        headersMap.put(headerName, toString(filteredHeaders));
       }
     }
     return headersMap;
   }
 
-  private static @Nullable String toString(final @Nullable Enumeration<String> enumeration) {
-    return enumeration != null ? String.join(",", Collections.list(enumeration)) : null;
+  private List<String> extractSecurityCookieNamesOrUseCached(
+      final @NotNull HttpServletRequest httpRequest) {
+    if (extraSecurityCookies == null) {
+      synchronized (SentryRequestResolver.class) {
+        if (extraSecurityCookies == null) {
+          extraSecurityCookies = extractSecurityCookieNames(httpRequest);
+        }
+      }
+    }
+
+    return extraSecurityCookies;
+  }
+
+  private List<String> extractSecurityCookieNames(final @NotNull HttpServletRequest httpRequest) {
+    try {
+      final @Nullable ServletContext servletContext = httpRequest.getServletContext();
+      if (servletContext != null) {
+        final @Nullable SessionCookieConfig sessionCookieConfig =
+            servletContext.getSessionCookieConfig();
+        if (sessionCookieConfig != null) {
+          final @Nullable String cookieName = sessionCookieConfig.getName();
+          if (cookieName != null) {
+            return Arrays.asList(cookieName);
+          }
+        }
+      }
+    } catch (Throwable t) {
+      hub.getOptions()
+          .getLogger()
+          .log(SentryLevel.WARNING, "Failed to extract session cookie name from request.", t);
+    }
+
+    return Collections.emptyList();
+  }
+
+  private static @Nullable String toString(final @Nullable List<String> list) {
+    return list != null ? String.join(",", list) : null;
   }
 }
@@ -7,6 +7,7 @@
 import io.sentry.util.Objects;
 import io.sentry.util.UrlUtils;
 import java.net.URI;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -36,7 +37,11 @@ public SentryRequestResolver(final @NotNull IHub hub) {
     sentryRequest.setHeaders(resolveHeadersMap(httpRequest.getHeaders()));
 
     if (hub.getOptions().isSendDefaultPii()) {
-      sentryRequest.setCookies(toString(httpRequest.getHeaders().get("Cookies")));
+      String headerName = HttpUtils.COOKIE_HEADER_NAME;
+      sentryRequest.setCookies(
+          toString(
+              HttpUtils.filterOutSecurityCookiesFromHeader(
+                  httpRequest.getHeaders().get(headerName), headerName, Collections.emptyList())));
     }
     return sentryRequest;
   }
@@ -46,9 +51,13 @@ Map<String, String> resolveHeadersMap(final HttpHeaders request) {
     final Map<String, String> headersMap = new HashMap<>();
     for (Map.Entry<String, List<String>> entry : request.entrySet()) {
       // do not copy personal information identifiable headers
-      if (hub.getOptions().isSendDefaultPii()
-          || !HttpUtils.containsSensitiveHeader(entry.getKey())) {
-        headersMap.put(entry.getKey(), toString(entry.getValue()));
+      String headerName = entry.getKey();
+      if (hub.getOptions().isSendDefaultPii() || !HttpUtils.containsSensitiveHeader(headerName)) {
+        headersMap.put(
+            headerName,
+            toString(
+                HttpUtils.filterOutSecurityCookiesFromHeader(
+                    entry.getValue(), headerName, Collections.emptyList())));
       }
     }
     return headersMap;
 
@@ -10,6 +10,7 @@ import io.sentry.SentryOptions.RequestSize.MEDIUM
 import io.sentry.SentryOptions.RequestSize.NONE
 import io.sentry.SentryOptions.RequestSize.SMALL
 import jakarta.servlet.FilterChain
+import jakarta.servlet.ServletContext
 import jakarta.servlet.http.HttpServletRequest
 import org.assertj.core.api.Assertions
 import org.mockito.kotlin.any
@@ -150,24 +151,27 @@ class SentrySpringFilterTest {
     }
 
     @Test
-    fun `when sendDefaultPii is set to true, attaches cookies information to Scope request`() {
+    fun `when sendDefaultPii is set to true, attaches filtered cookies to Scope request`() {
         val sentryOptions = SentryOptions().apply {
             isSendDefaultPii = true
         }
 
         val listener = fixture.getSut(
             request = MockMvcRequestBuilders
                 .get(URI.create("http://example.com?param1=xyz"))
-                .header("Cookie", "name=value")
-                .header("Cookie", "name2=value2")
-                .buildRequest(MockServletContext()),
+                .header("Cookie", "name=value; JSESSIONID=123; mysessioncookiename=789")
+                .header("Cookie", "name2=value2; SID=456")
+                .buildRequest(servletContextWithCustomCookieName("mysessioncookiename")),
             options = sentryOptions
         )
 
         listener.doFilter(fixture.request, fixture.response, fixture.chain)
 
         assertNotNull(fixture.scope.request) {
-            assertEquals("name=value,name2=value2", it.cookies)
+            val expectedCookieString =
+                "name=value; JSESSIONID=[Filtered]; mysessioncookiename=[Filtered],name2=value2; SID=[Filtered]"
+            assertEquals(expectedCookieString, it.cookies)
+            assertEquals(expectedCookieString, it.headers!!["Cookie"])
         }
     }
 
@@ -269,4 +273,8 @@ class SentrySpringFilterTest {
             }
         }
     }
+
+    private fun servletContextWithCustomCookieName(name: String): ServletContext {
+        return MockServletContext().also { it.sessionCookieConfig.name = name }
+    }
 }
@@ -2,21 +2,26 @@
 
 import com.jakewharton.nopen.annotation.Open;
 import io.sentry.IHub;
+import io.sentry.SentryLevel;
 import io.sentry.protocol.Request;
 import io.sentry.util.HttpUtils;
 import io.sentry.util.Objects;
 import io.sentry.util.UrlUtils;
+import java.util.Arrays;
 import java.util.Collections;
-import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
+import javax.servlet.ServletContext;
+import javax.servlet.SessionCookieConfig;
 import javax.servlet.http.HttpServletRequest;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
 @Open
 public class SentryRequestResolver {
   private final @NotNull IHub hub;
+  private volatile @Nullable List<String> extraSecurityCookies;
 
   public SentryRequestResolver(final @NotNull IHub hub) {
     this.hub = Objects.requireNonNull(hub, "options is required");
@@ -31,27 +36,73 @@ public SentryRequestResolver(final @NotNull IHub hub) {
         UrlUtils.parse(httpRequest.getRequestURL().toString());
     urlDetails.applyToRequest(sentryRequest);
     sentryRequest.setQueryString(httpRequest.getQueryString());
-    sentryRequest.setHeaders(resolveHeadersMap(httpRequest));
+    final @NotNull List<String> additionalSecurityCookieNames =
+        extractSecurityCookieNamesOrUseCached(httpRequest);
+    sentryRequest.setHeaders(resolveHeadersMap(httpRequest, additionalSecurityCookieNames));
 
     if (hub.getOptions().isSendDefaultPii()) {
-      sentryRequest.setCookies(toString(httpRequest.getHeaders("Cookie")));
+      String cookieName = HttpUtils.COOKIE_HEADER_NAME;
+      final @Nullable List<String> filteredHeaders =
+          HttpUtils.filterOutSecurityCookiesFromHeader(
+              httpRequest.getHeaders(cookieName), cookieName, additionalSecurityCookieNames);
+      sentryRequest.setCookies(toString(filteredHeaders));
     }
     return sentryRequest;
   }
 
   @NotNull
-  Map<String, String> resolveHeadersMap(final @NotNull HttpServletRequest request) {
+  Map<String, String> resolveHeadersMap(
+      final @NotNull HttpServletRequest request,
+      final @NotNull List<String> additionalSecurityCookieNames) {
     final Map<String, String> headersMap = new HashMap<>();
     for (String headerName : Collections.list(request.getHeaderNames())) {
       // do not copy personal information identifiable headers
       if (hub.getOptions().isSendDefaultPii() || !HttpUtils.containsSensitiveHeader(headerName)) {
-        headersMap.put(headerName, toString(request.getHeaders(headerName)));
+        final @Nullable List<String> filteredHeaders =
+            HttpUtils.filterOutSecurityCookiesFromHeader(
+                request.getHeaders(headerName), headerName, additionalSecurityCookieNames);
+        headersMap.put(headerName, toString(filteredHeaders));
       }
     }
     return headersMap;
   }
 
-  private static @Nullable String toString(final @Nullable Enumeration<String> enumeration) {
-    return enumeration != null ? String.join(",", Collections.list(enumeration)) : null;
+  private List<String> extractSecurityCookieNamesOrUseCached(
+      final @NotNull HttpServletRequest httpRequest) {
+    if (extraSecurityCookies == null) {
+      synchronized (SentryRequestResolver.class) {
+        if (extraSecurityCookies == null) {
+          extraSecurityCookies = extractSecurityCookieNames(httpRequest);
+        }
+      }
+    }
+
+    return extraSecurityCookies;
+  }
+
+  private List<String> extractSecurityCookieNames(final @NotNull HttpServletRequest httpRequest) {
+    try {
+      final @Nullable ServletContext servletContext = httpRequest.getServletContext();
+      if (servletContext != null) {
+        final @Nullable SessionCookieConfig sessionCookieConfig =
+            servletContext.getSessionCookieConfig();
+        if (sessionCookieConfig != null) {
+          final @Nullable String cookieName = sessionCookieConfig.getName();
+          if (cookieName != null) {
+            return Arrays.asList(cookieName);
+          }
+        }
+      }
+    } catch (Throwable t) {
+      hub.getOptions()
+          .getLogger()
+          .log(SentryLevel.WARNING, "Failed to extract session cookie name from request.", t);
+    }
+
+    return Collections.emptyList();
+  }
+
+  private static @Nullable String toString(final @Nullable List<String> list) {
+    return list != null ? String.join(",", list) : null;
   }
 }
@@ -7,6 +7,7 @@
 import io.sentry.util.Objects;
 import io.sentry.util.UrlUtils;
 import java.net.URI;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -36,7 +37,11 @@ public SentryRequestResolver(final @NotNull IHub hub) {
     sentryRequest.setHeaders(resolveHeadersMap(httpRequest.getHeaders()));
 
     if (hub.getOptions().isSendDefaultPii()) {
-      sentryRequest.setCookies(toString(httpRequest.getHeaders().get("Cookies")));
+      String headerName = HttpUtils.COOKIE_HEADER_NAME;
+      sentryRequest.setCookies(
+          toString(
+              HttpUtils.filterOutSecurityCookiesFromHeader(
+                  httpRequest.getHeaders().get(headerName), headerName, Collections.emptyList())));
     }
     return sentryRequest;
   }
@@ -46,9 +51,13 @@ Map<String, String> resolveHeadersMap(final HttpHeaders request) {
     final Map<String, String> headersMap = new HashMap<>();
     for (Map.Entry<String, List<String>> entry : request.entrySet()) {
       // do not copy personal information identifiable headers
-      if (hub.getOptions().isSendDefaultPii()
-          || !HttpUtils.containsSensitiveHeader(entry.getKey())) {
-        headersMap.put(entry.getKey(), toString(entry.getValue()));
+      String headerName = entry.getKey();
+      if (hub.getOptions().isSendDefaultPii() || !HttpUtils.containsSensitiveHeader(headerName)) {
+        headersMap.put(
+            headerName,
+            toString(
+                HttpUtils.filterOutSecurityCookiesFromHeader(
+                    entry.getValue(), headerName, Collections.emptyList())));
       }
     }
     return headersMap;
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ import io.sentry.SentryOptions.RequestSize.MEDIUM`
`10`	`10`	`import io.sentry.SentryOptions.RequestSize.NONE`
`11`	`11`	`import io.sentry.SentryOptions.RequestSize.SMALL`
`12`	`12`	`import jakarta.servlet.FilterChain`
	`13`	`+import jakarta.servlet.ServletContext`
`13`	`14`	`import jakarta.servlet.http.HttpServletRequest`
`14`	`15`	`import org.assertj.core.api.Assertions`
`15`	`16`	`import org.mockito.kotlin.any`
`@@ -150,24 +151,27 @@ class SentrySpringFilterTest {`
`150`	`151`	`}`
`151`	`152`
`152`	`153`	`@Test`
`153`		- fun `when sendDefaultPii is set to true, attaches cookies information to Scope request`() {
	`154`	+ fun `when sendDefaultPii is set to true, attaches filtered cookies to Scope request`() {
`154`	`155`	`val sentryOptions = SentryOptions().apply {`
`155`	`156`	`isSendDefaultPii = true`
`156`	`157`	`}`
`157`	`158`
`158`	`159`	`val listener = fixture.getSut(`
`159`	`160`	`request = MockMvcRequestBuilders`
`160`	`161`	`.get(URI.create("http://example.com?param1=xyz"))`
`161`		`- .header("Cookie", "name=value")`
`162`		`- .header("Cookie", "name2=value2")`
`163`		`- .buildRequest(MockServletContext()),`
	`162`	`+ .header("Cookie", "name=value; JSESSIONID=123; mysessioncookiename=789")`
	`163`	`+ .header("Cookie", "name2=value2; SID=456")`
	`164`	`+ .buildRequest(servletContextWithCustomCookieName("mysessioncookiename")),`
`164`	`165`	`options = sentryOptions`
`165`	`166`	`)`
`166`	`167`
`167`	`168`	`listener.doFilter(fixture.request, fixture.response, fixture.chain)`
`168`	`169`
`169`	`170`	`assertNotNull(fixture.scope.request) {`
`170`		`- assertEquals("name=value,name2=value2", it.cookies)`
	`171`	`+ val expectedCookieString =`
	`172`	`+ "name=value; JSESSIONID=[Filtered]; mysessioncookiename=[Filtered],name2=value2; SID=[Filtered]"`
	`173`	`+ assertEquals(expectedCookieString, it.cookies)`
	`174`	`+ assertEquals(expectedCookieString, it.headers!!["Cookie"])`
`171`	`175`	`}`
`172`	`176`	`}`
`173`	`177`
`@@ -269,4 +273,8 @@ class SentrySpringFilterTest {`
`269`	`273`	`}`
`270`	`274`	`}`
`271`	`275`	`}`
	`276`	`+`
	`277`	`+ private fun servletContextWithCustomCookieName(name: String): ServletContext {`
	`278`	`+ return MockServletContext().also { it.sessionCookieConfig.name = name }`
	`279`	`+ }`
`272`	`280`	`}`