Description
Is there an existing issue for this?
- I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
- I have reviewed the documentation https://docs.sentry.io/
- I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases
How do you use Sentry?
Self-hosted/on-premise
Which package are you using?
@sentry/node
SDK Version
7.7.0
Framework Version
7.7.0
Link to Sentry event
No response
Steps to Reproduce
Using @sentry/node, Sentry.Handlers.requestHandler does not clean up cookie sent in the headers, from express-based app by default.
We are using a React-app with express-server dealing with SSR.
In case of SSR-errors, @sentry/node is being used for handling errors.
According to documentation, passing this options object: { request: ['headers', 'method', 'query_string', 'url'] } in Sentry.Handlers.requestHandler, will NOT include cookies into the payload with an error-event sent to Sentry.
In our case it does and Sentry parses it as if we would actually pass the 'cookies' key into the options.request array.
Here is code to reproduce this in a basic express-app:
const Sentry = require('@sentry/node');
const app = require('express')();
const port = 3000;
Sentry.init({
dsn: DSN_KEY,
autoSessionTracking: false,
release: RELEASE,
beforeSend(event) {
console.log(event); // Will have cookie prop in the headers.
},
});
app.use(Sentry.Handlers.requestHandler({
request: ['headers', 'method', 'query_string', 'url'],
}));
app.get('/', (req, res) => {
throw new Error('pep, an error');
res.send('Hello World!');
});
app.use(Sentry.Handlers.errorHandler({
shouldHandleError() {
return true;
},
}));
app.listen(port, () => {
console.log(`Example app listening on port ${port}`);
});Expected Result
Not passing 'cookies' key in the options.request array will clean up cookies from headers.
Actual Result
While not passing cookies key in the options.request we still get cookies in the reports, being sent to Sentry.