http.request.cookies is redacted but Cookie header is not

[fisherking]

Describe the bug

From the spec:

Captured request and response headers, cookies, and form bodies MUST be sanitised (i.e. secrets removed) according to data sanitization rules.

However, this only happens for the http.request.cookies property, not the Cookie header.

It's possible to mitigate the issue just by extending ELASTIC_APM_SANITIZE_FIELD_NAMES with cookie wildcard, but that's different from the default agent behaviour

Steps to reproduce

It is enough just to inspect any transaction containing Cookie header with session, or any other sensitive key

Expected behaviour

One of the following behaviours needs to be implemented:

• removing the Cookie header after adding the cookie property (like it's done in java agent - link)
• sanitizing Cookie header (like it's done in nodejs agent)

Environment

• OS: linux
• Ruby version: 3.1.2
• Framework and version: 6.1.7.3
• APM Server version: 7.16.3
• Agent version: 4.6.2

[estolfo]

Hi @fisherking thanks for opening this issue. Would you mind testing the PR opened here and letting me know if that's a sufficient solution? #1405
As a workaround, you could also set the sanitize field names config value to include "cookie" so the cookie in the header will be redacted.

[radeno]

I have opposite experience. everything in http.request.headers.Cookie is filtered, but I see everything parsed in http.request.cookies.*

My configuration part looks like this:

sanitize_field_names: "*ookie*,*uth*tion"

[estolfo]

Hi @radeno have you looked at the PR #1405? Does that help your situation?

[radeno]

I tried that branch, but i still see parsed cookies. Raw cookie header is filtered

[gpacuilla-st]

We're having the same issue as described in OP - with ruby agent 4.7.0.

Using the default settings, the http.request.cookies.CSRF-TOKEN (for example) is [FILTERED] but the http.request.headers.Cookie still contains the complete raw value.

For the record, this is what I set the envvar to filter the http.request.headers.Cookie values:
defaults from https://www.elastic.co/guide/en/apm/agent/go/current/configuration.html#config-sanitize-field-names
plus *Cookie*

ELASTIC_APM_SANITIZE_FIELD_NAMES='password,passwd,pwd,secret,*key,*token*,*session*,*credit*,*card*,*auth*,set-cookie,*principal*,*Cookie*'