feat(processor): Add Span Attachment scrubbing logic #5449
Conversation
|
|
||
| let processor = PiiAttachmentsProcessor::new(config.compiled()); | ||
| let mut payload = body.to_vec(); | ||
| if processor.scrub_attachment(filename, &mut payload) { |
There was a problem hiding this comment.
I think we should emit the timer(RelayTimers::AttachmentScrubbing) metric here, either directly or by calling processing::utils::attachments::scrub_attachment.
There was a problem hiding this comment.
Ok will update. Was not a fan of calling fn scrub_attachment(item: &mut crate::envelope::Item, config: &relay_pii::PiiConfig) because than we would need to construct a mock item since we don't have an item here anymore (but maybe doing so is worth it just to have the code all in one place 🤔).
…om:getsentry/relay into tobias-wilfert/feat/attachmentv2-scrubbing
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| let filename = meta | ||
| .value() | ||
| .and_then(|m| m.filename.as_str()) | ||
| .unwrap_or_default(); |
There was a problem hiding this comment.
Bug: Filename extraction after meta scrubbing breaks body rule matching
The filename is extracted from meta after the meta has already been scrubbed (lines 291-296). Since AttachmentV2Meta.filename is marked with pii = "true", filenames containing PII patterns (like emails or IPs) would be modified during meta scrubbing. When the filename is then used for body scrubbing rule matching (e.g., $attachments.'[email protected]'), the rule won't match because the filename has been scrubbed to something like [email].log. This could cause body scrubbing rules to silently fail, leaving PII unscrubbed in the attachment body.
tobias-wilfert
deleted the
tobias-wilfert/feat/attachmentv2-scrubbing
branch
Adds the logic to scrub the attachment body as well as the attachment meta.
Closes INGEST-648