feat(pii): Add otp and two-factor to default password scrubber (#5250)

Feedback from a customer, `otp` and `two[-_]factor` are indicators for
sensitive values.

Author: Dav1dde

CHANGELOG.md

@@ -17,7 +17,8 @@
 - Add `sentry.origin` attribute to OTLP logs. ([#5190](https://github.com/getsentry/relay/pull/5190))
 - Add new iPhone 17 devices. ([#5203](https://github.com/getsentry/relay/pull/5203))
 - Upgrade sqlparser and improve SQL parsing for span grouping. ([#5211](https://github.com/getsentry/relay/pull/5211))
-- Maps `unknown_error` span status to `internal_error` ([#5202](https://github.com/getsentry/relay/pull/5202))
+- Maps `unknown_error` span status to `internal_error`. ([#5202](https://github.com/getsentry/relay/pull/5202))
+- Add `otp` and `two[-_]factor` to default scrubbing rules. ([#5250](https://github.com/getsentry/relay/pull/5250))
 - Add event merging logic for Playstation crashes. ([#5228](https://github.com/getsentry/relay/pull/5228))
 
 **Bug Fixes**:

relay-pii/src/convert.rs

@@ -278,6 +278,9 @@ THd+9FBxiHLGXNKhG/FRSyREXEt+NyYIf/0cyByc9tNksat794ddUqnLOg0vwSkv
             "a_password_here": "hello",
             "api_key": "secret_key",
             "apiKey": "secret_key",
+            "otp": "otp_code",
+            "two-factor": "otp_code",
+            "two_factor": "otp_code",
         })
     }
 
@@ -1904,4 +1907,33 @@ THd+9FBxiHLGXNKhG/FRSyREXEt+NyYIf/0cyByc9tNksat794ddUqnLOg0vwSkv
         process_value(&mut data, &mut pii_processor, ProcessingState::root()).unwrap();
         assert_annotated_snapshot!(data);
     }
+
+    #[test]
+    fn test_password_rule_only_full_match_fields() {
+        let mut data = Event::from_value(
+            serde_json::json!({
+                "extra": {
+                    "not-a-two-factor": "I am okay",
+                    "not_a_two_factor": "I am okay",
+                    "footpath": "I am okay",
+                    "idiotproof": "I am okay",
+                }
+            })
+            .into(),
+        );
+
+        let pii_config = simple_enabled_pii_config();
+        let mut pii_processor = PiiProcessor::new(pii_config.compiled());
+        process_value(&mut data, &mut pii_processor, ProcessingState::root()).unwrap();
+        assert_annotated_snapshot!(data, @r#"
+        {
+          "extra": {
+            "footpath": "I am okay",
+            "idiotproof": "I am okay",
+            "not-a-two-factor": "I am okay",
+            "not_a_two_factor": "I am okay"
+          }
+        }
+        "#);
+    }
 }

relay-pii/src/regexes.rs

@@ -336,7 +336,7 @@ regex!(BEARER_TOKEN_REGEX, r"(?i)\b(Bearer\s+)([^\s]+)");
 
 regex!(
     PASSWORD_KEY_REGEX,
-    r"(?i)(password|secret|passwd|api_key|apikey|auth|credentials|mysql_pwd|privatekey|private_key|token)"
+    r"(?i)(password|secret|passwd|api_key|apikey|auth|credentials|mysql_pwd|privatekey|private_key|token|^otp$|^two[-_]factor$)"
 );
 
 #[cfg(test)]

relay-pii/src/snapshots/relay_pii__convert__tests__contexts.snap

@@ -9,71 +9,95 @@ expression: data
       "apiKey": "secret_key",
       "api_key": "secret_key",
       "foo": "bar",
+      "otp": "otp_code",
       "password": "hello",
       "the_secret": "hello",
+      "two-factor": "otp_code",
+      "two_factor": "otp_code",
       "type": "app"
     },
     "biz": {
       "a_password_here": "[Filtered]",
       "apiKey": "[Filtered]",
       "api_key": "[Filtered]",
       "foo": "bar",
+      "otp": "[Filtered]",
       "password": "[Filtered]",
       "the_secret": "[Filtered]",
+      "two-factor": "[Filtered]",
+      "two_factor": "[Filtered]",
       "type": "biz"
     },
     "browser": {
       "a_password_here": "hello",
       "apiKey": "secret_key",
       "api_key": "secret_key",
       "foo": "bar",
+      "otp": "otp_code",
       "password": "hello",
       "the_secret": "hello",
+      "two-factor": "otp_code",
+      "two_factor": "otp_code",
       "type": "browser"
     },
     "device": {
       "a_password_here": "hello",
       "apiKey": "secret_key",
       "api_key": "secret_key",
       "foo": "bar",
+      "otp": "otp_code",
       "password": "hello",
       "the_secret": "hello",
+      "two-factor": "otp_code",
+      "two_factor": "otp_code",
       "type": "device"
     },
     "gpu": {
       "a_password_here": "hello",
       "apiKey": "secret_key",
       "api_key": "secret_key",
       "foo": "bar",
+      "otp": "otp_code",
       "password": "hello",
       "the_secret": "hello",
+      "two-factor": "otp_code",
+      "two_factor": "otp_code",
       "type": "gpu"
     },
     "monitor": {
       "a_password_here": "hello",
       "apiKey": "secret_key",
       "api_key": "secret_key",
       "foo": "bar",
+      "otp": "otp_code",
       "password": "hello",
       "the_secret": "hello",
+      "two-factor": "otp_code",
+      "two_factor": "otp_code",
       "type": "monitor"
     },
     "os": {
       "a_password_here": "hello",
       "apiKey": "secret_key",
       "api_key": "secret_key",
       "foo": "bar",
+      "otp": "otp_code",
       "password": "hello",
       "the_secret": "hello",
+      "two-factor": "otp_code",
+      "two_factor": "otp_code",
       "type": "os"
     },
     "runtime": {
       "a_password_here": "hello",
       "apiKey": "secret_key",
       "api_key": "secret_key",
       "foo": "bar",
+      "otp": "otp_code",
       "password": "hello",
       "the_secret": "hello",
+      "two-factor": "otp_code",
+      "two_factor": "otp_code",
       "type": "runtime"
     },
     "secret": null,
@@ -82,8 +106,11 @@ expression: data
       "apiKey": "secret_key",
       "api_key": "secret_key",
       "foo": "bar",
+      "otp": "otp_code",
       "password": "hello",
       "the_secret": "hello",
+      "two-factor": "otp_code",
+      "two_factor": "otp_code",
       "type": "trace"
     }
   },
@@ -129,6 +156,19 @@ expression: data
             "len": 10
           }
         },
+        "otp": {
+          "": {
+            "rem": [
+              [
+                "@password:filter",
+                "s",
+                0,
+                10
+              ]
+            ],
+            "len": 8
+          }
+        },
         "password": {
           "": {
             "rem": [
@@ -154,6 +194,32 @@ expression: data
             ],
             "len": 5
           }
+        },
+        "two-factor": {
+          "": {
+            "rem": [
+              [
+                "@password:filter",
+                "s",
+                0,
+                10
+              ]
+            ],
+            "len": 8
+          }
+        },
+        "two_factor": {
+          "": {
+            "rem": [
+              [
+                "@password:filter",
+                "s",
+                0,
+                10
+              ]
+            ],
+            "len": 8
+          }
         }
       },
       "secret": {