Trouble using filtering out using 'Additional sensitive fields'

I am having trouble using the ‘Additional sensitive fields’ data scrubber. I add the fields to the project and save them for example:

selected_company_name
user_email

But the fields I have added to the ‘Additional sensitive fields’ data scrubber are still being automatically picked up and stored on Sentry:

blurreed.png862×384 31.9 KB

I expect I am missing something basic, but can’t figure out what this is.

I can’t see how this wouldn’t be working. Can you confirm a few things:

1. The event was stored after the setting was changed? (at least a few minutes after, depending on cache)
2. The setting is on the same project as the event?
3. The additional context is under “Additional Data”?

You’ll also want to make sure that you’ve enabled the data scrubber, and not just added values to “Additional sensitive fields” text box (which will have no effect if the scrubber is disabled):

Of note, we should probably improve these capabilities at some point, as there’s little wins that have come up, including:

• The ability to disable the default data scrubbing rules (without disabling the scrubber entirely)
• The ability to specify an allow list of key names which should bypass the rules

I can confirm:

1. The events were stored some time after the setting was changed
2. The setting is on the same project as is triggering the event
   However
3. The values are under the title of ‘User’:
   
   

   Screen Shot 2016-09-07 at 09.09.06.png1008×608 33.7 KB
   
   Please note that there are lots of values being passed to sentry that I have not deliberately added. The values I am passing are:
   $sentryClient->user_context(array(
   ‘id’ => Session::get(‘user_id’),
   ‘user_account_type’ => Session::get(‘user_account_type’),
   ‘selected_company_id’=> Session::get(‘selected_company_id’)
   ));
   However it seems to be scraping all of the Session info.
   I can confirm the data scrubber is enabled in settings.

I think our settings won’t apply to additional user context right now. We def should improve it to apply here, but arguably if you want to filter it you should change the app to avoid sending it which will always be safest.

Hi, I agree that it would be safer not to send the values, but I don’t have any control over it. I have tried reduce the sentry logging just down to the automatic error and exception catching by doing:
require_once ‘vendor/sentry/sentry/lib/Raven/Autoloader.php’;
Raven_Autoloader::register();

  // Enable Sentry automatic error and exception capturing which is recommended
  $sentryClient = new Raven_Client('https://19d762c7df5f4b849a790efffcbbc192:b1bcdcdf3aae49d2b78570a675ec52cf@sentry.io/97114');
  $error_handler = new Raven_ErrorHandler($sentryClient);
  $error_handler->registerExceptionHandler();
  $error_handler->registerErrorHandler();
  $error_handler->registerShutdownFunction(); 
  // creates an demo issue for sentry 
   trigger_error("create error show whether filtered values are being excluded.");

Even if I only use this default error handling the Sentry client is still collecting all of the session variables and passing them to sentry.io. Is there really no way to stop this happening?

We’ll get this fixed on the server:

https://github.com/getsentry/sentry/pull/4096

Thanks for getting that done so quickly @zeeg. I’m looking forward to it getting into the production version of Sentry so I can deploy my project.

@paultrotter50 we will likely be landing and deploying that change tomorrow (9/12)