Normalize the SQL queries before sending them to Sentry

To prevent sending some sensitive information, we need to normalize the SQL queries before we send them to Sentry. To do so, we decided to use the gem called `pg_query` which compiles some parts of the PostgreSQL database to make it possible to parse SQL queries.

Normalize the SQL queries before sending them to Sentry
To prevent sending some sensitive information, we need to normalize the SQL queries before we send them to Sentry. To do so, we decided to use the gem called `pg_query` which compiles some parts of the PostgreSQL database to make it possible to parse SQL queries.
4abc7fcd · Mehmet Emin INAC · 07f406d5 · 4abc7fcd · 4abc7fcd · 4abc7fcd
Commit 4abc7fcd authored Oct 21, 2020 by Mehmet Emin INAC
Showing with 9 additions and 4 deletions

Gemfile Gemfile +3 -0

Gemfile.lock Gemfile.lock +2 -0

lib/gitlab/error_tracking.rb lib/gitlab/error_tracking.rb +1 -1

spec/lib/gitlab/error_tracking_spec.rb spec/lib/gitlab/error_tracking_spec.rb +3 -3

No files found.
--- a/Gemfile
+++ b/Gemfile
@@ -307,6 +307,9 @@ gem 'rack-attack', '~> 6.3.0'
 # Sentry integration
 gem 'sentry-raven', '~> 3.0'

+# PostgreSQL query parsing
+gem 'pg_query', '~> 1.2'
+
 gem 'premailer-rails', '~> 1.10.3'

 # LabKit: Tracing and Correlation

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -828,6 +828,7 @@ GEM
    peek (1.1.0)
      railties (>= 4.0.0)
    pg (1.2.3)
+    pg_query (1.2.0)
    png_quantizator (0.2.1)
    po_to_json (1.0.1)
      json (>= 1.6.0)
@@ -1424,6 +1425,7 @@ DEPENDENCIES
  parallel (~> 1.19)
  peek (~> 1.1)
  pg (~> 1.1)
+  pg_query (~> 1.2)
  png_quantizator (~> 0.2.1)
  premailer-rails (~> 1.10.3)
  prometheus-client-mmap (~> 0.12.0)

--- a/lib/gitlab/error_tracking.rb
+++ b/lib/gitlab/error_tracking.rb
@@ -153,7 +153,7 @@ module Gitlab
      def inject_sql_query_into_extra(exception, extra)
        return unless exception.is_a?(ActiveRecord::StatementInvalid)

-        extra[:sql] = exception.sql
+        extra[:sql] = PgQuery.normalize(exception.sql.to_s)
      end

      def sentry_dsn

--- a/spec/lib/gitlab/error_tracking_spec.rb
+++ b/spec/lib/gitlab/error_tracking_spec.rb
@@ -284,13 +284,13 @@ RSpec.describe Gitlab::ErrorTracking do
    end

    context 'when the error is kind of an `ActiveRecord::StatementInvalid`' do
-      let(:exception) { ActiveRecord::StatementInvalid.new(sql: :foo) }
+      let(:exception) { ActiveRecord::StatementInvalid.new(sql: 'SELECT "users".* FROM "users" WHERE "users"."id" = 1 AND "users"."foo" = $1') }

-      it 'injects the sql query into extra' do
+      it 'injects the normalized sql query into extra' do
        track_exception

        expect(Raven).to have_received(:capture_exception)
-          .with(exception, a_hash_including(extra: a_hash_including(sql: :foo)))
+          .with(exception, a_hash_including(extra: a_hash_including(sql: 'SELECT "users".* FROM "users" WHERE "users"."id" = $2 AND "users"."foo" = $1')))
      end
    end
  end