fix(core): Ensure ip address headers are stripped when lower case

[mydea]

This was flagged by a claude security review and makes sense IMHO, we should make sure to also strip IP headers when they are lower case.

While looking at that I noticed we have no tests at all for this rather critical thing 😬 so I added some here.

[github-actions]

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path	Size	% Change	Change
@sentry/browser	25.88 kB	-	-
@sentry/browser - with treeshaking flags	24.35 kB	-	-
@sentry/browser (incl. Tracing)	43.8 kB	-	-
@sentry/browser (incl. Tracing + Span Streaming)	45.5 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	48.73 kB	-	-
@sentry/browser (incl. Tracing, Replay)	82.98 kB	-	-
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	72.5 kB	-	-
@sentry/browser (incl. Tracing, Replay with Canvas)	87.67 kB	-	-
@sentry/browser (incl. Tracing, Replay, Feedback)	99.93 kB	-	-
@sentry/browser (incl. Feedback)	42.7 kB	-	-
@sentry/browser (incl. sendFeedback)	30.55 kB	-	-
@sentry/browser (incl. FeedbackAsync)	35.55 kB	-	-
@sentry/browser (incl. Metrics)	27.16 kB	-	-
@sentry/browser (incl. Logs)	27.29 kB	-	-
@sentry/browser (incl. Metrics & Logs)	27.98 kB	-	-
@sentry/react	27.62 kB	-	-
@sentry/react (incl. Tracing)	46.05 kB	-	-
@sentry/vue	30.71 kB	-	-
@sentry/vue (incl. Tracing)	45.62 kB	-	-
@sentry/svelte	25.89 kB	-	-
CDN Bundle	28.57 kB	-	-
CDN Bundle (incl. Tracing)	46.08 kB	-	-
CDN Bundle (incl. Logs, Metrics)	29.95 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics)	47.12 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics)	68.92 kB	-	-
CDN Bundle (incl. Tracing, Replay)	83.14 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	84.17 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback)	88.61 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	89.69 kB	-	-
CDN Bundle - uncompressed	83.59 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	137.62 kB	-	-
CDN Bundle (incl. Logs, Metrics) - uncompressed	87.73 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	141.03 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	211.31 kB	-	-
CDN Bundle (incl. Tracing, Replay) - uncompressed	255.06 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	258.46 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	267.97 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	271.36 kB	-	-
@sentry/nextjs (client)	48.58 kB	-	-
@sentry/sveltekit (client)	44.22 kB	-	-
@sentry/node-core	58.37 kB	+0.05%	+29 B 🔺
@sentry/node	175.69 kB	+0.03%	+39 B 🔺
@sentry/node - without tracing	98.32 kB	+0.04%	+31 B 🔺
@sentry/aws-serverless	115.35 kB	+0.03%	+33 B 🔺

View base workflow run

[s1gr1d]

We have multiple points in the code where we remove specific headers based on options. I hope this gets easier with the new dataCollection config.

I quickly checked and we should probably also modify this line:

sentry-javascript/packages/core/src/utils/request.ts

Line 152 in 244db35

const PII_HEADER_SNIPPETS = ['x-forwarded-', '-user'];

to

const PII_HEADER_SNIPPETS = ['forwarded', '-user', '-ip'];

This would match all ipHeaderNames

[mydea]

We have multiple points in the code where we remove specific headers based on options. I hope this gets easier with the new dataCollection config.

I quickly checked and we should probably also modify this line:

sentry-javascript/packages/core/src/utils/request.ts

Line 152 in 244db35

const PII_HEADER_SNIPPETS = ['x-forwarded-', '-user'];

to

const PII_HEADER_SNIPPETS = ['forwarded', '-user', '-ip'];

This would match all ipHeaderNames

let's look at this in a follow up PR! 👍

[JPeer264]

FWIW in http 2 and 3 everything should be lower case, so we might need to adapt other places in the code as well