From 1778c04547dbf31b2334e5e7f5559605c73ee768 Mon Sep 17 00:00:00 2001
From: Iker Barriocanal <32816711+iker-barriocanal@users.noreply.github.com>
Date: Tue, 3 Oct 2023 14:05:28 +0200
Subject: [PATCH] ref(spans): Scrub data image descriptions (#2560)

---
 CHANGELOG.md                                          |  4 ++++
 py/CHANGELOG.md                                       |  4 ++++
 .../src/normalize/span/description/mod.rs             | 11 +++++++++++
 3 files changed, 19 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6af0a28963..79b57f1cfb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+**Features**:
+
+- Scrub span descriptions with encoded data images. ([#2560](https://github.com/getsentry/relay/pull/2560))
+
 **Bug Fixes**:
 
 - Remove profile_id from context when no profile is in the envelope. ([#2523](https://github.com/getsentry/relay/pull/2523))
diff --git a/py/CHANGELOG.md b/py/CHANGELOG.md
index bff8e27c9d..8034f78fea 100644
--- a/py/CHANGELOG.md
+++ b/py/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased
+
+- Scrub span descriptions with encoded data images. ([#2560](https://github.com/getsentry/relay/pull/2560))
+
 ## 0.8.30
 
 - Filter out exceptions originating in Safari extensions. ([#2408](https://github.com/getsentry/relay/pull/2408))
diff --git a/relay-event-normalization/src/normalize/span/description/mod.rs b/relay-event-normalization/src/normalize/span/description/mod.rs
index e142f4b9d9..7046040da7 100644
--- a/relay-event-normalization/src/normalize/span/description/mod.rs
+++ b/relay-event-normalization/src/normalize/span/description/mod.rs
@@ -91,6 +91,10 @@ fn scrub_http(string: &str) -> Option<String> {
         return None;
     };
 
+    if url.starts_with("data:image/") {
+        return Some(format!("{method} data:image/*"));
+    }
+
     let scrubbed = match Url::parse(url) {
         Ok(url) => {
             let host = url.host().map(|h| h.to_string())?;
@@ -367,6 +371,13 @@ mod tests {
         "GET *"
     );
 
+    span_description_test!(
+        span_description_scrub_data_images,
+        "GET data:image/png;base64,drtfghaksjfdhaeh/blah/blah/blah",
+        "http.client",
+        "GET data:image/*"
+    );
+
     span_description_test!(
         span_description_scrub_only_dblike_on_db_ops,
         "SELECT count() FROM table WHERE id IN (%s, %s)",