Skip to content

fix(supabase): Consider sendDefaultPii for supabase integration#20490

Merged
mydea merged 3 commits intodevelopfrom
fn/better-pii-supabase
Apr 27, 2026
Merged

fix(supabase): Consider sendDefaultPii for supabase integration#20490
mydea merged 3 commits intodevelopfrom
fn/better-pii-supabase

Conversation

@mydea
Copy link
Copy Markdown
Member

@mydea mydea commented Apr 24, 2026

We did not consider sendDefaultPii for the supabase integration. However:

The Supabase integration captures the full request body of POST/PATCH/PUT/DELETE operations (database mutations) and attaches it as the 'db.body' span attribute (line 387). This body contains the actual data being inserted or updated in Supabase tables, which commonly includes PII such as user emails, names, addresses, and other sensitive fields. Unlike other integrations (e.g., the MCP server integration which checks sendDefaultPii), the Supabase integration performs no sendDefaultPii check and applies no filtering or redaction to the captured body. Additionally, query filter values from URL search parameters are captured at lines 351-355, which can also contain PII used in WHERE clauses.

This PR fixes this.

@mydea mydea self-assigned this Apr 24, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026
edited
Loading

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path Size % Change Change
@sentry/browser 25.96 kB - -
@sentry/browser - with treeshaking flags 24.44 kB - -
@sentry/browser (incl. Tracing) 43.89 kB - -
@sentry/browser (incl. Tracing + Span Streaming) 45.53 kB - -
@sentry/browser (incl. Tracing, Profiling) 48.84 kB - -
@sentry/browser (incl. Tracing, Replay) 83.09 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 72.59 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 87.77 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 100.38 kB - -
@sentry/browser (incl. Feedback) 43.18 kB - -
@sentry/browser (incl. sendFeedback) 30.77 kB - -
@sentry/browser (incl. FeedbackAsync) 35.93 kB - -
@sentry/browser (incl. Metrics) 27.25 kB - -
@sentry/browser (incl. Logs) 27.38 kB - -
@sentry/browser (incl. Metrics & Logs) 28.07 kB - -
@sentry/react 27.72 kB - -
@sentry/react (incl. Tracing) 46.13 kB - -
@sentry/vue 30.81 kB - -
@sentry/vue (incl. Tracing) 45.71 kB - -
@sentry/svelte 25.98 kB - -
CDN Bundle 28.66 kB - -
CDN Bundle (incl. Tracing) 46.12 kB - -
CDN Bundle (incl. Logs, Metrics) 30.03 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 47.17 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 68.99 kB - -
CDN Bundle (incl. Tracing, Replay) 83.19 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 84.22 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 89 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 90.06 kB - -
CDN Bundle - uncompressed 83.91 kB - -
CDN Bundle (incl. Tracing) - uncompressed 137.82 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 88.06 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 141.23 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 211.63 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 255.26 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 258.66 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 268.96 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 272.35 kB - -
@sentry/nextjs (client) 48.62 kB - -
@sentry/sveltekit (client) 44.33 kB - -
@sentry/node-core 58.52 kB +0.02% +9 B 🔺
@sentry/node 175.84 kB +0.01% +14 B 🔺
@sentry/node - without tracing 98.32 kB +0.02% +12 B 🔺
@sentry/aws-serverless 115.52 kB -0.01% -4 B 🔽

View base workflow run

JPeer264
JPeer264 approved these changes Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@JPeer264 JPeer264 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't worked with supabase yet, but it would be interesting to know if the query really contains sensitive data, usually it is stripped away.

Also FWIW the db.query and db.body are not in our convetions: https://getsentry.github.io/sentry-conventions/attributes/db/#db-query-text

@mydea
Copy link
Copy Markdown
Member Author

mydea commented Apr 24, 2026

I haven't worked with supabase yet, but it would be interesting to know if the query really contains sensitive data, usually it is stripped away.

as far as I can see (I also have no prior experience with the supabase integration) we monkey patch this ourselves and thus get all the content directly, so I assume there would be no sanitization from supabases side here?

Also FWIW the db.query and db.body are not in our convetions: https://getsentry.github.io/sentry-conventions/attributes/db/#db-query-text

good point, we should look at possibly adjusting this in a follow up!

cursor[bot]
cursor Bot reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 32f9b58. Configure here.

Comment thread packages/core/src/integrations/supabase.ts Outdated
@JPeer264
Copy link
Copy Markdown
Member

JPeer264 commented Apr 24, 2026

I just checked it and it is Pii:

(no pii)

await supabase.from('todos').insert({
  task: 'PLAINTEXT-MARKER-abc123-secret',
  email: 'alice.secret@example.com',
  name: 'Alice Private',
})

Produces: https://sentry-sdks.sentry.io/explore/traces/trace/0fe31d6488d01268fd56d6f4577f7845/?node=span-1e3ecc6bd26bc043&project=4510555608449024&source=traces&statsPeriod=1h&targetId=0ed06734b3444fe7&timestamp=1777031451

Picture image

(pii)

This one is quite interesting, as on the attributes it is "[Filtered]" but on the top it shows the query in plain text

await supabase
  .from('todos')
  .select('*')
  .eq('email', 'alice.secret@example.com')

Produces: https://sentry-sdks.sentry.io/explore/traces/trace/0fe31d6488d01268fd56d6f4577f7845/?node=span-72b3ea27d93fc700&project=4510555608449024&source=traces&statsPeriod=1h&targetId=0ed06734b3444fe7&timestamp=1777031451

Picture image

@mydea mydea force-pushed the fn/better-pii-supabase branch from 7b8d92c to 8f2dedf Compare April 27, 2026 08:25
@mydea mydea merged commit cdd8b08 into develop Apr 27, 2026
255 checks passed
@mydea mydea deleted the fn/better-pii-supabase branch April 27, 2026 08:54
@sentry-release-bot sentry-release-bot Bot mentioned this pull request Apr 29, 2026
Closed
47 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@JPeer264 JPeer264 JPeer264 approved these changes

@isaacs isaacs Awaiting requested review from isaacs

@andreiborza andreiborza Awaiting requested review from andreiborza

Assignees

@mydea mydea

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mydea @JPeer264