Added allowlist for Sentry transactions (#19538)

refs
[ARCH-41](https://linear.app/tryghost/issue/ARCH-41/add-allowlist-for-sentry-transactions)

Added allowlist for Sentry transactions so that we can better control
the data we are putting into Sentry
This commit is contained in:
Michael Barrett 2024-01-23 08:22:57 +00:00 committed by GitHub
parent aa5cd13aec
commit 57810cd34e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 46 additions and 1 deletions

View File

@ -57,6 +57,27 @@ const beforeSend = function (event, hint) {
}
};
const ALLOWED_HTTP_TRANSACTIONS = [
'/ghost/api',
'/members/api'
].map((path) => {
// Sentry names HTTP transactions like: "<HTTP_METHOD> <PATH>" i.e. "GET /ghost/api/content/settings"
return new RegExp(`^(GET|POST|PUT|DELETE)\\s(?<path>${path}\\/.+)`);
});
const beforeSendTransaction = function (event) {
// Drop transactions that are not in the allowed list
for (const transaction of ALLOWED_HTTP_TRANSACTIONS) {
const match = event.transaction.match(transaction);
if (match?.groups?.path) {
return event;
}
}
return null;
};
if (sentryConfig && !sentryConfig.disabled) {
const Sentry = require('@sentry/node');
const version = require('@tryghost/version').full;
@ -72,7 +93,8 @@ if (sentryConfig && !sentryConfig.disabled) {
environment: environment,
maxValueLength: 1000,
integrations: [],
beforeSend
beforeSend,
beforeSendTransaction
};
// Enable tracing if sentry.tracing.enabled is true
@ -117,6 +139,7 @@ if (sentryConfig && !sentryConfig.disabled) {
captureException: Sentry.captureException,
captureMessage: Sentry.captureMessage,
beforeSend: beforeSend,
beforeSendTransaction: beforeSendTransaction,
initQueryTracing: (knex) => {
if (sentryConfig.tracing?.enabled === true) {
const integration = new SentryKnexTracingIntegration(knex);

View File

@ -155,4 +155,26 @@ describe('UNIT: sentry', function () {
assert.deepEqual(result, expected);
});
});
describe('beforeTransaction', function () {
it('filters transactions based on an allow list', function () {
sentry = require('../../../core/shared/sentry');
const beforeSendTransaction = sentry. beforeSendTransaction;
const allowedTransactions = [
{transaction: 'GET /ghost/api/settings'},
{transaction: 'PUT /members/api/member'},
{transaction: 'POST /ghost/api/tiers'},
{transaction: 'DELETE /members/api/member'}
];
allowedTransactions.forEach((transaction) => {
assert.equal(beforeSendTransaction(transaction), transaction);
});
assert.equal(beforeSendTransaction({transaction: 'GET /foo/bar'}), null);
assert.equal(beforeSendTransaction({transaction: 'Some other transaction'}), null);
});
});
});