Issue Description
I report some concerns about PII, after discovering some data on Sentry that I didn't know was captured.
I enabled Sentry Transaction/Performance 2 years ago. At this time, only the controller action were reported if I am not mistaken.
Some month ago, I upgraded from 5.7.0 to 5.16.1. I usually read the changelog to check for any important changes, particularly around PII.
I discovered some weeks ago that the params of the controller actions are now captured. Some investigation on my side showed that this is coming from #1973, which was reported as "Fix sentry-rails' controller span nesting", without mentioning this update on capture if I am not mistaken. This PR was introduced in 5.8.0.
Also, the send_default_pii option (https://docs.sentry.io/platforms/ruby/configuration/options/#send-default-pii) is presented as is:
When its value is false (the default), sensitive information like:
- user ip
- user cookie
- request body
- query string in the url
won't be sent to Sentry.
which is not true here, as params is the body of the request. I expect this option to hide params in transactions, and probably in other parts.
What's your point of view?
Did I miss something in the release notes or any other news channel?
Reproduction Steps
- upgrade from 5.7.0 to 5.16.1,
- params are added as span tags,
- content is displayed on Sentry interface.
Expected Behavior
- changelog mentioning any changes that may impact PII or any other data captured,
- see these changes as breaking changes, and thus upgrading the version accordingly.
Actual Behavior
- changelog not mentioning this critical change in captured data,
- version not increased accordingly.
Ruby Version
3.3.4
SDK Version
5.21.0
Integration and Its Version
No response
Sentry Config
No response
Issue Description
I report some concerns about PII, after discovering some data on Sentry that I didn't know was captured.
I enabled Sentry Transaction/Performance 2 years ago. At this time, only the controller action were reported if I am not mistaken.
Some month ago, I upgraded from 5.7.0 to 5.16.1. I usually read the changelog to check for any important changes, particularly around PII.
I discovered some weeks ago that the params of the controller actions are now captured. Some investigation on my side showed that this is coming from #1973, which was reported as "Fix sentry-rails' controller span nesting", without mentioning this update on capture if I am not mistaken. This PR was introduced in 5.8.0.
Also, the send_default_pii option (https://docs.sentry.io/platforms/ruby/configuration/options/#send-default-pii) is presented as is:
which is not true here, as params is the body of the request. I expect this option to hide params in transactions, and probably in other parts.
What's your point of view?
Did I miss something in the release notes or any other news channel?
Reproduction Steps
Expected Behavior
Actual Behavior
Ruby Version
3.3.4
SDK Version
5.21.0
Integration and Its Version
No response
Sentry Config
No response