-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sentry/remix appears to be incorrectly identifying users based on IP address headers #7323
Comments
Hi @alexblack, thanks for writing in! Can you confirm that this issue only concerns server-side errors? (we're handling IP addresses differently for browser and server SDKs, which is the reason I'm asking) The reason why this is happening is that we're not looking at headers for determining the ip address. In fact, we take the IP we receive from the node request: sentry-javascript/packages/node/src/requestdata.ts Lines 285 to 296 in a88a8bf
I'm not sure if we're going to start analyzing headers as well, given that there's probably quite a few headers out there we'd potentially need to check. I'm gonna raise this internally to see if and how we'll make changes here. |
Hi Lukas, we've only seen this be an issue on server side errors, but I
can't say for sure.
It seems like a significant issue. At first it made us think we had a
major security issue, we worried that somehow users were getting assigned
other user's security credentials.
In this specific case that I linked to, Sentry is claiming the user is my
colleague here in Canada, but in reality it's a user of ours from France
…On Fri, Mar 3, 2023, 12:18 AM Lukas Stracke ***@***.***> wrote:
Hi @alexblack <https://github.com/alexblack>, thanks for writing in! Can
you confirm that this issue only concerns server-side errors? (we're
handling IP addresses differently for browser and server SDKs, which is the
reason I'm asking)
The reason why this is happening is that we're not looking at headers for
determining the ip address. In fact, we take the IP we receive from the
node request:
https://github.com/getsentry/sentry-javascript/blob/a88a8bf0f26d12adde87738a3c9f56658397af9a/packages/node/src/requestdata.ts#L285-L296
I'm not sure if we're going to start analyzing headers as well, given that
there's probably quite a few headers out there we'd potentially need to
check. I'm gonna raise this internally to see if and how we'll make changes
here.
—
Reply to this email directly, view it on GitHub
<#7323 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABELQS4A2OLKFZH5KZGQ2LW2GSPHANCNFSM6AAAAAAVN5EVDU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Oh, I just realized we actually extract the IP from Http headers in the Remix SDK already (#6263). Sorry for the confusion. We'll need to look into this. I might have an idea what's going wrong but it's hard to verify without a reproduction. |
I opened #7329 with a potential fix. Would you mind taking a look at this PR if the fix makes sense to you? As I said it's hard to actually verify that this actually works. |
Thanks, that fix looks promising. I'm not sure how to reproduce it. Is
there no way for you to "replay" the event on your end?
…On Fri, Mar 03, 2023 at 6:58 AM, Lukas Stracke ***@***.***> wrote:
I opened #7329 <#7329>
with a potential fix. Would you mind taking a look at this PR if the fix
makes sense to you? As I said it's hard to actually verify that this
actually works.
—
Reply to this email directly, view it on GitHub
<#7323 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABELQSNGIND5TGY423X4YDW2IBJBANCNFSM6AAAAAAVN5EVDU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Is there an existing issue for this?
How do you use Sentry?
Sentry Saas (sentry.io)
Which SDK are you using? If you use the CDN bundles, please specify the exact bundle (e.g.
bundle.tracing.min.js
) in your SDK setup.@sentry/remix
SDK Version
7.38.0
Framework Version
Remix 1.13.0
Link to Sentry event
https://syncwith.sentry.io/issues/3955446273/events/fef107a39ec64e20ad358cf5f26396d1/?project=5880196
SDK Setup
client:
server:
Steps to Reproduce
We're using a cloudflare worker in front of our website, and cloudflare cdn, and in this request:
https://syncwith.sentry.io/issues/3955446273/events/fef107a39ec64e20ad358cf5f26396d1/?project=5880196
It appears that the user was identified using IP address
141.101.69.35
, which is a cloudflare IP. The correct IP to identify the user with is2a01:cb19:8350:ed00:d0dd:fa5b:de31:8be5
found in headerCf-Connecting-Ip
.I wonder if the bug is that sentry should let
Cf-Connecting-Ip
take precendence overX-Forwarded-For
, or, if its not properly parsingX-Forwarded-For
and extracting the relevant IP (the first, not the last, in this case)Expected Result
The user should be identified by the IP address found in cf-connecting-ip, or maybe first in x-forwarded-for
Actual Result
The user was identified by the wrong IP
The text was updated successfully, but these errors were encountered: