Skip to content

[Feat][SDK-601] Add built in scrubbing#377

Open
buongarzoni wants to merge 12 commits into
masterfrom
feat/SDK-601/add-built-in-scrubbing
Open

[Feat][SDK-601] Add built in scrubbing#377
buongarzoni wants to merge 12 commits into
masterfrom
feat/SDK-601/add-built-in-scrubbing

Conversation

@buongarzoni

Copy link
Copy Markdown
Collaborator

Description of the change

Adds a scrubbing layer that runs on every payload, so sensitive data is redacted by default rather than only when a user wires up their own transformer.

What it does

ScrubDataTransformer runs after any user-supplied transformer and cannot be
bypassed by replacing it. It redacts values with *** in:

  • Request headers — via a built-in deny-list (Authorization, Cookie,
    Set-Cookie, X-Api-Key, X-Auth-Token, X-Access-Token, X-Secret,
    Proxy-Authorization, WWW-Authenticate). Always on, no config needed.
  • Query params, POST params, custom data, and Frame.locals — for keys
    matching the new redactedKeys config. Nested custom maps are traversed to a
    depth of 8.

Request.url is sanitized unconditionally by DefaultUrlSanitizer, which strips
userinfo, query string, and fragment.

Config

ConfigBuilder.withAccessToken(TOKEN)
    .redactedKeys(Arrays.asList("password", "token", "secret"))  // case-insensitive regex
    .urlSanitizer(myCustomSanitizer) // optional
    .build();

Added to both the core and reactive-streams builders. Defaults are an empty
redaction list and DefaultUrlSanitizer.

Warning

Behavior change
Query strings are now stripped from Request.url by default. Users who relied on
seeing them in Rollbar will need a custom urlSanitizer.

okhttp

RollbarOkHttpInterceptor now delegates its default URL sanitization to the
shared DefaultUrlSanitizer so the okhttp and notifier paths can't drift apart,
and gains a withSharedUrlSanitizer(recorder, sanitizer) factory to reuse the
sanitizer from a notifier config.

The sanitizer types live in rollbar-api (com.rollbar.api.scrubbing), not
rollbar-java, so rollbar-okhttp keeps its existing lightweight dependency.
The factory is static rather than a constructor overload — UrlSanitizer and
StringUrlSanitizer are both functional interfaces, so an overload would make a
lambda argument ambiguous and break existing callers at compile time.

Type of change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Maintenance
  • New release

Related issues

Shortcut stories and GitHub issues (delete irrelevant)

Checklists

Development

  • Lint rules pass locally
  • The code changed/added as part of this pull request has been covered with tests
  • All tests related to the changed code pass in development

Code review

  • This pull request has a descriptive title and information useful to a reviewer. There may be a screenshot or screencast attached
  • "Ready for review" label attached to the PR and reviewers assigned
  • Issue from task tracker has a link to this pull request
  • Changes have been reviewed by at least one other engineer

@linear-code

linear-code Bot commented Jul 13, 2026

Copy link
Copy Markdown

SDK-601

@buongarzoni buongarzoni added this to the v2.4.0 milestone Jul 13, 2026
@buongarzoni buongarzoni self-assigned this Jul 13, 2026
@buongarzoni

Copy link
Copy Markdown
Collaborator Author

@claude review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 52d5d40da7

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant