Impact

End user IP addresses were unintentionally stored in spans even when the Prevent Storage of IP Address was explicitly enabled by customers at the project or organization level. The issue was introduced in PR #3122 on Feb 19, 2024, and was released with Relay version 24.3.0 on March 15, 2024

Customers are impacted under the following conditions:

• For server-side SDKs, this would occur when sendDefaultPII or send_default_pii was set to true (default: false).
• For client-side SDKs, this would occur when you are configured to send user context information. By default the IP address field is set to {{ auto }}.

While these IP addresses are meant to be scrubbed, the regression in Relay prevented this.

Patches

The patch, PR #4364, was merged on Dec 11, 2024.

For SaaS customers, the patch was deployed on Dec 11, 2024 and no further action is required. Affected SaaS customers have already been contacted by email.

SaaS customers running their own Relays with an affected version (24.3.0 to 24.11.1) should upgrade and deploy Relay 24.11.2.

Self-Hosted users who are running 24.2.0 or older versions are not affected. Self-Hosted users who are running an affected version (24.3.0 to 24.11.1) should upgrade to 24.11.2.

Self-Hosted users can also run the following script on local clickhouse instances to scrub any unintentionally stored IP addresses.

Please note, the script will have a significant impact on performance and may degrade read performance during execution.

ALTER TABLE spans_local
UPDATE 
    `sentry_tags.value` = arrayMap(
        (k, v) -> if(
            k = 'user.ip',
            'scrubbed',
            if(
                k = 'user' AND startsWith(v, 'ip:'),
                concat(
                    'ip:',
                    if(
                        isIPv4String(substring(v, 4)) OR isIPv6String(substring(v, 4)),
                        'scrubbed',
                        substring(v, 4)
                    )
                ),
                v
            )
        ), 
        `sentry_tags.key`, 
        `sentry_tags.value`
    ),
    `user` = if(
        startsWith(user, 'ip:'),
        concat(
            'ip:',
            if(
                isIPv4String(substring(user, 4)) OR isIPv6String(substring(user, 4)),
                'scrubbed',
                substring(user, 4)
            )
        ),
        user
    )
WHERE has(`sentry_tags.key`, 'user.ip') OR has(`sentry_tags.key`, 'user')

Workarounds

No other workarounds are available.

References

• Bug introduced in PR #3122
• Security fix in PR #4364
• Session Replay “Prevent Storage of IP Addresses” configuration https://docs.sentry.io/product/explore/session-replay/web/replay-page-and-filters/
• User context data in SDKs running on client platforms (browser and mobile) https://develop.sentry.dev/sdk/data-model/event-payloads/user/#automatic-ip-addresses
• PII and Data Scrubbing features https://develop.sentry.dev/api-server/application-domains/pii/
• Advanced Data Scrubbing https://docs.sentry.io/security-legal-pii/scrubbing/advanced-datascrubbing/