Skip to content

feat(core): Parse individual cookies from cookie header#18325

Merged
s1gr1d merged 11 commits intodevelopfrom
sig/cookie-headers
Dec 10, 2025
Merged

feat(core): Parse individual cookies from cookie header#18325
s1gr1d merged 11 commits intodevelopfrom
sig/cookie-headers

Conversation

@s1gr1d
Copy link
Copy Markdown
Member

@s1gr1d s1gr1d commented Nov 25, 2025
edited by github-actions Bot
Loading

Parse each individual cookie header and filter sensitive cookies to at least know which keys the cookie string included.

Follow-up on #18311

Closes #18441

@s1gr1d s1gr1d requested review from Lms24 and andreiborza November 25, 2025 13:59
sentry[bot]
sentry Bot reviewed Nov 25, 2025
View reviewed changes
Comment thread packages/core/src/utils/request.ts
@@ -180,6 +196,26 @@ export function httpHeadersToSpanAttributes(
return spanAttributes;
}

This comment was marked as outdated.

Sign in to view

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 25, 2025
edited
Loading

size-limit report 📦

Path Size % Change Change
@sentry/browser 24.8 kB - -
@sentry/browser - with treeshaking flags 23.31 kB - -
@sentry/browser (incl. Tracing) 41.54 kB - -
@sentry/browser (incl. Tracing, Profiling) 46.13 kB - -
@sentry/browser (incl. Tracing, Replay) 79.96 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 69.69 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 84.64 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 96.88 kB - -
@sentry/browser (incl. Feedback) 41.48 kB - -
@sentry/browser (incl. sendFeedback) 29.49 kB - -
@sentry/browser (incl. FeedbackAsync) 34.47 kB - -
@sentry/react 26.52 kB - -
@sentry/react (incl. Tracing) 43.74 kB - -
@sentry/vue 29.25 kB - -
@sentry/vue (incl. Tracing) 43.34 kB - -
@sentry/svelte 24.82 kB - -
CDN Bundle 27.21 kB - -
CDN Bundle (incl. Tracing) 42.21 kB - -
CDN Bundle (incl. Tracing, Replay) 78.75 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 84.2 kB - -
CDN Bundle - uncompressed 79.96 kB - -
CDN Bundle (incl. Tracing) - uncompressed 125.34 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 241.37 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 254.13 kB - -
@sentry/nextjs (client) 45.96 kB - -
@sentry/sveltekit (client) 41.9 kB - -
@sentry/node-core 51.5 kB +0.46% +232 B 🔺
@sentry/node 159.76 kB +0.15% +239 B 🔺
@sentry/node - without tracing 92.85 kB -0.01% -1 B 🔽
@sentry/aws-serverless 108.38 kB +0.22% +234 B 🔺

View base workflow run

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 25, 2025
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 11,507 - 8,693 +32%
GET With Sentry 2,054 18% 1,701 +21%
GET With Sentry (error only) 7,896 69% 6,002 +32%
POST Baseline 1,219 - 1,196 +2%
POST With Sentry 618 51% 595 +4%
POST With Sentry (error only) 1,088 89% 1,057 +3%
MYSQL Baseline 4,061 - 3,301 +23%
MYSQL With Sentry 630 16% 599 +5%
MYSQL With Sentry (error only) 3,342 82% 2,666 +25%

View base workflow run

cursor[bot]
cursor Bot reviewed Nov 25, 2025
View reviewed changes
Comment thread packages/core/src/utils/request.ts Outdated
Comment thread packages/core/src/utils/request.ts
Lms24
Lms24 reviewed Nov 26, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Lms24 Lms24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think bugbot is right with the cookie/set-cookie difference, so let's double check this.

one more Q: Do we need to adjust the semantic conventions for "sub" http headers? From what I can tell the spec covers arbitrary keys afoter http.request.headers.<key> but I just want to make sure <key> could contain another . as in the cookie header attribute case.

Comment thread packages/core/src/utils/request.ts
} else if (typeof value === 'string') {
spanAttributes[normalizedKey] = value;
const lowerCasedHeaderKey = key.toLowerCase();
const isCookieHeader = lowerCasedHeaderKey === 'cookie' || lowerCasedHeaderKey === 'set-cookie';
Copy link
Copy Markdown
Member

@Lms24 Lms24 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

l: probably saves us a few bytes:

Suggested change
const isCookieHeader = lowerCasedHeaderKey === 'cookie' || lowerCasedHeaderKey === 'set-cookie';
const isCookieHeader = /^(set-)cookie$?/.test(lowerCasedHeaderKey)

Comment thread packages/core/src/utils/request.ts
const lowerCasedHeaderKey = key.toLowerCase();
const isCookieHeader = lowerCasedHeaderKey === 'cookie' || lowerCasedHeaderKey === 'set-cookie';

if (isCookieHeader && typeof value === 'string' && value !== '') {
Copy link
Copy Markdown
Member

@Lms24 Lms24 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

q: do we handle arrays of cookie headers? (or is this not relevant for cookie/set-cookie?)

Copy link
Copy Markdown
Member Author

@s1gr1d s1gr1d Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the sake of simplicity (as cookies are one string), an array would just be parsed as ...header.cookie: [Filtered]. There is also a test that checks that a cookie attribute is always filtered.

Comment thread packages/core/test/lib/utils/request.test.ts Outdated
});

it('attaches and filters sensitive a set-cookie header', () => {
const headers1 = { 'Set-Cookie': 'user_session=def456' };
Copy link
Copy Markdown
Member

@Lms24 Lms24 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

l: let's add or adjust a test here for a set-cookie header with additional properties (e.g. like max-age)

This was referenced Dec 9, 2025
Closed
Closed
sentry[bot]
sentry Bot reviewed Dec 9, 2025
View reviewed changes
Comment thread packages/node-core/src/integrations/http/httpServerSpansIntegration.ts
sentry[bot]
sentry Bot reviewed Dec 9, 2025
View reviewed changes
Comment thread packages/core/src/utils/request.ts
Comment on lines +179 to +180
const isSetCookie = lowerCasedHeaderKey === 'set-cookie';
const semicolonIndex = value.indexOf(';');

This comment was marked as outdated.

Sign in to view

cursor[bot]
cursor Bot reviewed Dec 9, 2025
View reviewed changes
Comment thread packages/sveltekit/src/server-common/handle.ts Outdated
@s1gr1d s1gr1d merged commit ec8c8c6 into develop Dec 10, 2025
206 checks passed
@s1gr1d s1gr1d deleted the sig/cookie-headers branch December 10, 2025 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

@Lms24 Lms24 Lms24 approved these changes

@andreiborza andreiborza Awaiting requested review from andreiborza

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(core): Parse individual cookies from cookie header

2 participants

@s1gr1d @Lms24