Skip to content

feat(core): Parse individual cookies from cookie header #18325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
s1gr1d merged 11 commits into from
Dec 10, 2025
Merged

feat(core): Parse individual cookies from cookie header #18325

s1gr1d merged 11 commits into from
Dec 10, 2025

Conversation

@s1gr1d
Copy link
Member

@s1gr1d s1gr1d commented Nov 25, 2025
edited by github-actions bot
Loading

Parse each individual cookie header and filter sensitive cookies to at least know which keys the cookie string included.

Follow-up on #18311

Closes #18441

@s1gr1d s1gr1d requested review from Lms24 and andreiborza November 25, 2025 13:59
sentry[bot]
sentry bot reviewed Nov 25, 2025
View reviewed changes
packages/core/src/utils/request.ts
}

return spanAttributes;
}

This comment was marked as outdated.

Sign in to view

@github-actions
Copy link
Contributor

github-actions bot commented Nov 25, 2025
edited
Loading

size-limit report 📦

Path Size % Change Change
@sentry/browser 24.8 kB - -
@sentry/browser - with treeshaking flags 23.31 kB - -
@sentry/browser (incl. Tracing) 41.54 kB - -
@sentry/browser (incl. Tracing, Profiling) 46.13 kB - -
@sentry/browser (incl. Tracing, Replay) 79.96 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 69.69 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 84.64 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 96.88 kB - -
@sentry/browser (incl. Feedback) 41.48 kB - -
@sentry/browser (incl. sendFeedback) 29.49 kB - -
@sentry/browser (incl. FeedbackAsync) 34.47 kB - -
@sentry/react 26.52 kB - -
@sentry/react (incl. Tracing) 43.74 kB - -
@sentry/vue 29.25 kB - -
@sentry/vue (incl. Tracing) 43.34 kB - -
@sentry/svelte 24.82 kB - -
CDN Bundle 27.21 kB - -
CDN Bundle (incl. Tracing) 42.21 kB - -
CDN Bundle (incl. Tracing, Replay) 78.75 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 84.2 kB - -
CDN Bundle - uncompressed 79.96 kB - -
CDN Bundle (incl. Tracing) - uncompressed 125.34 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 241.37 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 254.13 kB - -
@sentry/nextjs (client) 45.96 kB - -
@sentry/sveltekit (client) 41.9 kB - -
@sentry/node-core 51.5 kB +0.46% +232 B 🔺
@sentry/node 159.76 kB +0.15% +239 B 🔺
@sentry/node - without tracing 92.85 kB -0.01% -1 B 🔽
@sentry/aws-serverless 108.38 kB +0.22% +234 B 🔺

View base workflow run

@github-actions
Copy link
Contributor

github-actions bot commented Nov 25, 2025
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 11,507 - 8,693 +32%
GET With Sentry 2,054 18% 1,701 +21%
GET With Sentry (error only) 7,896 69% 6,002 +32%
POST Baseline 1,219 - 1,196 +2%
POST With Sentry 618 51% 595 +4%
POST With Sentry (error only) 1,088 89% 1,057 +3%
MYSQL Baseline 4,061 - 3,301 +23%
MYSQL With Sentry 630 16% 599 +5%
MYSQL With Sentry (error only) 3,342 82% 2,666 +25%

View base workflow run

cursor[bot]
cursor bot reviewed Nov 25, 2025
View reviewed changes
Lms24
Lms24 reviewed Nov 26, 2025
View reviewed changes
Copy link
Member

@Lms24 Lms24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think bugbot is right with the cookie/set-cookie difference, so let's double check this.

one more Q: Do we need to adjust the semantic conventions for "sub" http headers? From what I can tell the spec covers arbitrary keys afoter http.request.headers.<key> but I just want to make sure <key> could contain another . as in the cookie header attribute case.

packages/core/src/utils/request.ts
} else if (typeof value === 'string') {
spanAttributes[normalizedKey] = value;
const lowerCasedHeaderKey = key.toLowerCase();
const isCookieHeader = lowerCasedHeaderKey === 'cookie' || lowerCasedHeaderKey === 'set-cookie';
Copy link
Member

@Lms24 Lms24 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

l: probably saves us a few bytes:

Suggested change
const isCookieHeader = lowerCasedHeaderKey === 'cookie' || lowerCasedHeaderKey === 'set-cookie';
const isCookieHeader = /^(set-)cookie$?/.test(lowerCasedHeaderKey)

packages/core/src/utils/request.ts
const lowerCasedHeaderKey = key.toLowerCase();
const isCookieHeader = lowerCasedHeaderKey === 'cookie' || lowerCasedHeaderKey === 'set-cookie';

if (isCookieHeader && typeof value === 'string' && value !== '') {
Copy link
Member

@Lms24 Lms24 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

q: do we handle arrays of cookie headers? (or is this not relevant for cookie/set-cookie?)

Copy link
Member Author

@s1gr1d s1gr1d Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the sake of simplicity (as cookies are one string), an array would just be parsed as ...header.cookie: [Filtered]. There is also a test that checks that a cookie attribute is always filtered.

packages/core/test/lib/utils/request.test.ts Outdated
});

it('attaches and filters sensitive a set-cookie header', () => {
const headers1 = { 'Set-Cookie': 'user_session=def456' };
Copy link
Member

@Lms24 Lms24 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

l: let's add or adjust a test here for a set-cookie header with additional properties (e.g. like max-age)

This was referenced Dec 9, 2025
Closed
Closed
sentry[bot]
sentry bot reviewed Dec 9, 2025
View reviewed changes
packages/core/src/utils/request.ts
Comment on lines +179 to +180
const isSetCookie = lowerCasedHeaderKey === 'set-cookie';
const semicolonIndex = value.indexOf(';');

This comment was marked as outdated.

Sign in to view

cursor[bot]
cursor bot reviewed Dec 9, 2025
View reviewed changes
@s1gr1d s1gr1d merged commit ec8c8c6 into develop Dec 10, 2025
206 checks passed
@s1gr1d s1gr1d deleted the sig/cookie-headers branch December 10, 2025 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@Lms24 Lms24 Lms24 approved these changes

@andreiborza andreiborza Awaiting requested review from andreiborza

+1 more reviewer

@sentry sentry[bot] sentry[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(core): Parse individual cookies from cookie header

3 participants

@s1gr1d @Lms24