fix(live_view): scrub sensitive data from LiveView breadcrumbs

Sentry.LiveViewHook previously stored raw event params, handle_params
params, and URIs directly in breadcrumbs. Form submissions over the
LiveView WebSocket frequently contain passwords, tokens, and other
secrets, which were forwarded to Sentry unredacted.

The hook now passes breadcrumb data through Sentry.Scrubber.scrub_map/2
and URIs through Sentry.Scrubber.scrub_url/2 before adding them to the
breadcrumb trail. Users can override the scrubber by passing a
{module, function, args} tuple via on_mount opts, mirroring the
override mechanism already provided by Sentry.PlugCapture:

    on_mount {Sentry.LiveViewHook, scrubber: {MyApp.Scrubber, :scrub, []}}

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: solnic

lib/sentry/live_view_hook.ex

@@ -39,6 +39,28 @@ if Code.ensure_loaded?(Phoenix.LiveView) do
 
     You can also set this in your `MyAppWeb` module, so that all LiveViews that
     `use MyAppWeb, :live_view` will have this hook.
+
+    ## Scrubbing Sensitive Data
+
+    *Available since v13.1.0.*
+
+    LiveView events and `handle_params` calls frequently carry user-submitted
+    form data, which may include passwords or other sensitive values. Before
+    storing this data in breadcrumbs, this hook scrubs it using
+    `Sentry.Scrubber.scrub_map/2`. URI query strings stored in breadcrumbs are
+    scrubbed via `Sentry.Scrubber.scrub_url/2`.
+
+    To customize the scrubbing logic, pass a `:scrubber` option when attaching
+    the hook. The scrubber must be a `{module, function, args}` tuple; the
+    breadcrumb `data` map is prepended to `args` before invoking the function,
+    which must return a map.
+
+        on_mount {Sentry.LiveViewHook, scrubber: {MyApp.Scrubber, :scrub, []}}
+
+    The default scrubber is equivalent to:
+
+        {Sentry.LiveViewHook, :default_scrubber, []}
+
     """
 
     @moduledoc since: "10.5.0"
@@ -49,24 +71,81 @@ if Code.ensure_loaded?(Phoenix.LiveView) do
 
     require Logger
 
+    @scrubber_pdict_key {__MODULE__, :scrubber}
+
     # See also:
     # https://develop.sentry.dev/sdk/event-payloads/request/
 
     @doc false
-    @spec on_mount(:default, map() | :not_mounted_at_router, map(), struct()) :: {:cont, struct()}
-    def on_mount(:default, %{} = params, _session, socket), do: on_mount(params, socket)
-    def on_mount(:default, :not_mounted_at_router, _session, socket), do: {:cont, socket}
+    @spec on_mount(:default | keyword(), map() | :not_mounted_at_router, map(), struct()) ::
+            {:cont, struct()}
+    def on_mount(:default, params, session, socket),
+      do: on_mount([], params, session, socket)
+
+    def on_mount(opts, %{} = params, _session, socket) when is_list(opts) do
+      store_scrubber(opts)
+      on_mount(params, socket)
+    end
+
+    def on_mount(opts, :not_mounted_at_router, _session, socket) when is_list(opts) do
+      store_scrubber(opts)
+      {:cont, socket}
+    end
+
+    @doc """
+    The default scrubber applied to LiveView breadcrumb data.
+
+    Delegates to `Sentry.Scrubber.scrub_map/2` with the default sensitive
+    parameter keys.
+    """
+    @doc since: "13.1.0"
+    @spec default_scrubber(map()) :: map()
+    def default_scrubber(data) when is_map(data) do
+      Sentry.Scrubber.scrub_map(data)
+    end
 
     ## Helpers
 
+    defp store_scrubber(opts) do
+      case Keyword.get(opts, :scrubber, {__MODULE__, :default_scrubber, []}) do
+        {mod, fun, args} = scrubber when is_atom(mod) and is_atom(fun) and is_list(args) ->
+          Process.put(@scrubber_pdict_key, scrubber)
+
+        other ->
+          raise ArgumentError,
+                "expected :scrubber to be a {module, function, args} tuple, got: #{inspect(other)}"
+      end
+    end
+
+    defp scrub(data) when is_map(data) do
+      {mod, fun, args} =
+        Process.get(@scrubber_pdict_key, {__MODULE__, :default_scrubber, []})
+
+      case apply(mod, fun, [data | args]) do
+        result when is_map(result) ->
+          result
+
+        other ->
+          Logger.error(
+            "Sentry.LiveViewHook scrubber returned non-map value: #{inspect(other)}; " <>
+              "falling back to redacted data",
+            event_source: :logger
+          )
+
+          %{}
+      end
+    end
+
+    defp scrub_uri(uri) when is_binary(uri), do: Sentry.Scrubber.scrub_url(uri)
+
     defp on_mount(params, %Phoenix.LiveView.Socket{} = socket) do
       Context.set_extra_context(%{socket_id: socket.id})
       Context.set_request_context(%{url: socket.host_uri})
 
       Context.add_breadcrumb(%{
         category: "web.live_view.mount",
         message: "Mounted live view",
-        data: params
+        data: scrub(params)
       })
 
       if uri = get_connect_info_if_root(socket, :uri) do
@@ -105,7 +184,7 @@ if Code.ensure_loaded?(Phoenix.LiveView) do
       Context.add_breadcrumb(%{
         category: "web.live_view.event",
         message: inspect(event),
-        data: %{event: event, params: params}
+        data: scrub(%{event: event, params: params})
       })
 
       {:cont, socket}
@@ -121,13 +200,14 @@ if Code.ensure_loaded?(Phoenix.LiveView) do
     end
 
     defp handle_params_hook(params, uri, socket) do
+      scrubbed_uri = scrub_uri(uri)
       Context.set_extra_context(%{socket_id: socket.id})
-      Context.set_request_context(%{url: uri})
+      Context.set_request_context(%{url: scrubbed_uri})
 
       Context.add_breadcrumb(%{
         category: "web.live_view.params",
-        message: "#{uri}",
-        data: %{params: params, uri: uri}
+        message: "#{scrubbed_uri}",
+        data: scrub(%{params: params, uri: scrubbed_uri})
       })
 
       {:cont, socket}

test/sentry/live_view_hook_test.exs

@@ -14,7 +14,7 @@ defmodule SentryTest.Live do
     {:ok, socket}
   end
 
-  def handle_event("refresh", _params, socket) do
+  def handle_event(_event, _params, socket) do
     {:noreply, socket}
   end
 
@@ -23,6 +23,22 @@ defmodule SentryTest.Live do
   end
 end
 
+defmodule SentryTest.CustomScrubber do
+  def scrub(data), do: Sentry.Scrubber.scrub_map(data, keys: ["api_key"])
+end
+
+defmodule SentryTest.CustomScrubberLive do
+  use Phoenix.LiveView
+
+  on_mount {Sentry.LiveViewHook, scrubber: {SentryTest.CustomScrubber, :scrub, []}}
+
+  def render(assigns), do: ~H"<h1>custom</h1>"
+
+  def mount(_params, _session, socket), do: {:ok, socket}
+
+  def handle_event(_event, _params, socket), do: {:noreply, socket}
+end
+
 defmodule SentryTest.LiveComponent do
   use Phoenix.LiveComponent
 
@@ -66,6 +82,7 @@ defmodule SentryTest.Router do
   scope "/" do
     get "/dead_test", SentryTest.PageController, :page
     live "/hook_test", SentryTest.Live
+    live "/custom_scrubber", SentryTest.CustomScrubberLive
   end
 end
 
@@ -164,6 +181,57 @@ defmodule Sentry.LiveViewHookTest do
     assert Logger.metadata() == []
   end
 
+  test "scrubs sensitive data from breadcrumbs by default", %{conn: conn} do
+    {:ok, view, _html} = live(conn, "/hook_test")
+
+    render_hook(view, :login, %{
+      "email" => "user@example.com",
+      "password" => "supersecret",
+      "card" => "4111111111111111"
+    })
+
+    [event_breadcrumb | _] = get_sentry_context(view).breadcrumbs
+
+    assert event_breadcrumb.data == %{
+             event: "login",
+             params: %{
+               "email" => "user@example.com",
+               "password" => "*********",
+               "card" => "*********"
+             }
+           }
+  end
+
+  test "scrubs sensitive query params from URI in handle_params breadcrumb", %{conn: conn} do
+    {:ok, view, _html} = live(conn, "/hook_test?password=supersecret&visible=ok")
+
+    breadcrumbs = get_sentry_context(view).breadcrumbs
+    params_breadcrumb = Enum.find(breadcrumbs, &(&1.category == "web.live_view.params"))
+
+    refute params_breadcrumb.data.uri =~ "supersecret"
+    assert params_breadcrumb.data.uri =~ "password=%2A%2A%2A%2A%2A%2A%2A%2A%2A"
+    assert params_breadcrumb.data.uri =~ "visible=ok"
+  end
+
+  test "uses a user-supplied scrubber when configured", %{conn: conn} do
+    {:ok, view, _html} = live(conn, "/custom_scrubber")
+
+    render_hook(view, :submit, %{
+      "api_key" => "topsecret",
+      "other" => "not-redacted"
+    })
+
+    [event_breadcrumb | _] = get_sentry_context(view).breadcrumbs
+
+    assert event_breadcrumb.data == %{
+             event: "submit",
+             params: %{
+               "api_key" => "*********",
+               "other" => "not-redacted"
+             }
+           }
+  end
+
   defp get_sentry_context(view) do
     {:dictionary, pdict} = Process.info(view.pid, :dictionary)