fix(core): Sanitize data URLs in http.client spans

[Lms24]

Our http.client span instrumentations currently treat data URLs (blobs or base64 encoded data) like regular raw URLs. While this is in general fine, the problem is that this leads to incredibly long span names and attribute values, especially because the URL is sent in up to three different attributes per span. This makes Relay reject the the sent events due to exceeding size limits.

Therefore, I decided to extract the already existing stack trace URL sanitization logic for data URLs and apply it to http.client spans and attributes. This will lead to "lost" information in the sense of not having data URLs but I think for now we can live with that. The replacement in the future could be span attachments (if we decide this is valuable or make it opt-in).

Note: This is most likely only a concern in client-side SDKs but since our fetch instrumentation is used across the board, I decided to also add this to our server-side instrumentation. I'd rather have this taken care of everywhere.

closes #17345

[github-actions]

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	25.2 kB	+0.4%	+98 B 🔺
@sentry/browser - with treeshaking flags	23.71 kB	+0.41%	+96 B 🔺
@sentry/browser (incl. Tracing)	42.02 kB	+0.38%	+158 B 🔺
@sentry/browser (incl. Tracing, Profiling)	46.61 kB	+0.34%	+156 B 🔺
@sentry/browser (incl. Tracing, Replay)	80.63 kB	+0.2%	+155 B 🔺
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	70.28 kB	+0.18%	+120 B 🔺
@sentry/browser (incl. Tracing, Replay with Canvas)	85.33 kB	+0.18%	+151 B 🔺
@sentry/browser (incl. Tracing, Replay, Feedback)	97.53 kB	+0.17%	+160 B 🔺
@sentry/browser (incl. Feedback)	41.92 kB	+0.23%	+93 B 🔺
@sentry/browser (incl. sendFeedback)	29.89 kB	+0.32%	+95 B 🔺
@sentry/browser (incl. FeedbackAsync)	34.89 kB	+0.29%	+99 B 🔺
@sentry/browser (incl. Metrics)	26.31 kB	+0.36%	+93 B 🔺
@sentry/browser (incl. Logs)	26.46 kB	+0.37%	+96 B 🔺
@sentry/browser (incl. Metrics & Logs)	27.11 kB	+0.35%	+92 B 🔺
@sentry/react	26.93 kB	+0.34%	+91 B 🔺
@sentry/react (incl. Tracing)	44.26 kB	+0.39%	+170 B 🔺
@sentry/vue	29.64 kB	+0.3%	+86 B 🔺
@sentry/vue (incl. Tracing)	43.82 kB	+0.35%	+149 B 🔺
@sentry/svelte	25.22 kB	+0.4%	+98 B 🔺
CDN Bundle	27.78 kB	+0.38%	+105 B 🔺
CDN Bundle (incl. Tracing)	42.83 kB	+0.38%	+161 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics)	43.65 kB	+0.34%	+145 B 🔺
CDN Bundle (incl. Tracing, Replay)	79.53 kB	+0.21%	+162 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback)	84.97 kB	+0.2%	+165 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	85.89 kB	+0.2%	+170 B 🔺
CDN Bundle - uncompressed	81.27 kB	+0.24%	+189 B 🔺
CDN Bundle (incl. Tracing) - uncompressed	126.81 kB	+0.26%	+317 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	129.65 kB	+0.25%	+317 B 🔺
CDN Bundle (incl. Tracing, Replay) - uncompressed	243.35 kB	+0.14%	+317 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	256.15 kB	+0.13%	+317 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	258.96 kB	+0.13%	+317 B 🔺
@sentry/nextjs (client)	46.62 kB	+0.4%	+182 B 🔺
@sentry/sveltekit (client)	42.39 kB	+0.35%	+146 B 🔺
@sentry/node-core	51.9 kB	-	-
@sentry/node	164 kB	+0.15%	+245 B 🔺
@sentry/node - without tracing	93.65 kB	+0.27%	+248 B 🔺
@sentry/aws-serverless	109.15 kB	+0.23%	+245 B 🔺

View base workflow run

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	8,639	-	9,202	-6%
GET With Sentry	1,628	19%	1,705	-5%
GET With Sentry (error only)	6,049	70%	5,940	+2%
POST Baseline	1,185	-	1,158	+2%
POST With Sentry	589	50%	579	+2%
POST With Sentry (error only)	1,052	89%	874	+20%
MYSQL Baseline	3,315	-	3,271	+1%
MYSQL With Sentry	458	14%	439	+4%
MYSQL With Sentry (error only)	2,653	80%	2,708	-2%

View base workflow run

[brunohaid]

Thanks a ton Lukas! I'd leave the first n chars of the data stream in there, knowing what type of data it is (by magic bytes, eg wasm starts with AGFzbQ, base64 encoding of \0asm) is definitely helpful in debugging.

[s1gr1d]

About the additional comment from @brunohaid: Maybe we could add the content of the first few bytes as an attribute here 🤔

[Lms24]

I ended up adding the first 10 bytes to the span description and data. I went for adding this directly to the URL attributes/description because there isn't really a fitting attribute defined in SemConv for data url content. So I just stuck with the "url.full" one.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}