feat: mask sensitive data inside objects and URLs in code variables

[ablaszkiewicz]

Overview

• It's faster. Much faster on nasty inputs (~57× on the worst case, comfortably sub-1ms) and faster than where we started even on ordinary exceptions. We compile the masking patterns once and cache them, fast-path the common value types, and collapse all the secret-name matching into a single regex pass.

• A little bit stricter limits — it's best-effort. If some exception has one bazillion triple-nested variables
  and crazy collections, we just stop very early instead of grinding through all of it. Hard caps on depth, collection width, total nodes, and string length.

• Connection URL detection. We scrub user:pass@host credentials out of DSNs / connection strings
  (postgres://…, redis://…, etc.), so a URL sitting in a local variable can't leak its password.

• Much more support for all the crazy ways a secret can end up in the final event. Secrets don't only live in plain attributes, so we now also catch sensitively-named @property, cached_property, __slots__, class-level
  attributes, descriptors and namedtuple fields, plus weird non-string dict keys. We never call a getter, and never
  trust a custom __repr__ that could rename a field out of the mask — when in doubt, fail closed.

• Brand new, ultra clean tests. Rewrote the entire suite. One idea per assertion.

Benchmark

Examples

	small	medium	maxed
Represents	a typical, everyday exception	a "busy" but still realistic frame	a deliberately pathological worst case
Realistic?	yes — the common case	yes — heavy but plausible	no — a stress test
Top-level vars	9	11	57
Biggest structure	a 3-key dict, a 5-int list	nested dict (depth 4), 40-row list	fan-out tree: ~111k nodes + 1M leaves
Long strings	none	4 KB + 4.5 KB	5 KB, 20 KB, 4.8 KB
Limits it hits	none	per-value output truncation (1 KB)	all of them

Benchmark vs main

Workload	main	current	Speedup
small (9 vars)	21 µs	18 µs	1.15× faster
medium (11 vars)	194 µs	182 µs	1.07× faster
maxed (57 vars)	497 ms	0.86 ms	576× faster

[greptile-apps]

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
posthog/exception_utils.py:1083-1096
**`mask_url_credentials` silently inert when `mask_patterns` is empty**

The early return `if not compiled_mask: return value` means URL credential scrubbing is bypassed entirely whenever `compiled_mask` is `None` — which happens when `mask_patterns=[]`. The same guard appears in `_serialize_variable_value` (`elif compiled_mask and mask_url_credentials:`), so a user who explicitly disables name-based masks but still expects URL credentials to be scrubbed gets no protection. The two features are advertised as independent toggles but share a single gate.

### Issue 2 of 2
posthog/test/test_exception_capture.py:984-1002
**Prefer `@pytest.mark.parametrize` for multi-case unit tests**

`test_redact_url_credentials` bundles four distinct input/output assertions in a single test body. Per the team convention, these cases should be expressed as separate parametrize entries so each case gets its own pass/fail signal and name. The same applies to `test_mask_url_credentials_can_be_toggled` (two cases: enabled vs disabled) and the inline assertions inside `test_compile_patterns_fast_path_and_regex_fallback`.

_{Reviews (1): Last reviewed commit: "feat: mask sensitive data inside objects..." | Re-trigger Greptile}

[github-actions]

posthog-python Compliance Report

Date: 2026-06-22 07:27:30 UTC
Duration: 540135ms

✅ All Tests Passed!

45/45 tests passed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	518ms
Format Validation.Event Has Uuid	✅	10007ms
Format Validation.Event Has Lib Properties	✅	10007ms
Format Validation.Distinct Id Is String	✅	10007ms
Format Validation.Token Is Present	✅	10007ms
Format Validation.Custom Properties Preserved	✅	10008ms
Format Validation.Event Has Timestamp	✅	10007ms
Retry Behavior.Retries On 503	✅	18016ms
Retry Behavior.Does Not Retry On 400	✅	12008ms
Retry Behavior.Does Not Retry On 401	✅	10007ms
Retry Behavior.Respects Retry After Header	✅	16013ms
Retry Behavior.Implements Backoff	✅	32028ms
Retry Behavior.Retries On 500	✅	16002ms
Retry Behavior.Retries On 502	✅	16011ms
Retry Behavior.Retries On 504	✅	16011ms
Retry Behavior.Max Retries Respected	✅	32029ms
Deduplication.Generates Unique Uuids	✅	9993ms
Deduplication.Preserves Uuid On Retry	✅	16016ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	23020ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	16004ms
Deduplication.No Duplicate Events In Batch	✅	10003ms
Deduplication.Different Events Have Different Uuids	✅	10007ms
Compression.Sends Gzip When Enabled	✅	10006ms
Batch Format.Uses Proper Batch Structure	✅	10007ms
Batch Format.Flush With No Events Sends Nothing	✅	5006ms
Batch Format.Multiple Events Batched Together	✅	10005ms
Error Handling.Does Not Retry On 403	✅	12009ms
Error Handling.Does Not Retry On 413	✅	10006ms
Error Handling.Retries On 408	✅	14013ms

Feature_Flags Tests

✅ 16/16 tests passed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	✅	9503ms
Request Payload.Flags Request Uses V2 Query Param	✅	10006ms
Request Payload.Flags Request Hits Flags Path Not Decide	✅	10007ms
Request Payload.Flags Request Omits Authorization Header	✅	10007ms
Request Payload.Token In Flags Body Matches Init	✅	10007ms
Request Payload.Groups Round Trip	✅	10007ms
Request Payload.Groups Default To Empty Object	✅	10006ms
Request Payload.Person Properties Distinct Id Auto Populated When Caller Omits It	✅	10007ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False	✅	10007ms
Request Payload.Disable Geoip Omitted Defaults To False	✅	10006ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key	✅	10007ms
Request Lifecycle.No Flags Request On Init Alone	✅	5003ms
Request Lifecycle.No Flags Request On Normal Capture	✅	10508ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests	✅	9512ms
Request Lifecycle.Mock Response Value Is Returned To Caller	✅	10002ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event	✅	10509ms

[greptile-apps]

_{Reviews (2): Last reviewed commit: "fix: comments" | Re-trigger Greptile}