Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Documentation | Bug Tracker | Forum | IRC: irc.freenode.net, #sentry
The official Ruby-language client and integration layer for the Sentry error reporting API.
We test on Ruby 1.9, 2.2, 2.3, and 2.4 at the latest patchlevel/teeny version. We also support JRuby 1.7 and 9.0. Our Rails integration works with Rails 4.2+ (including Rails 5).
gem "sentry-raven"
Raven will capture and send exceptions to the Sentry server whenever its DSN is set. This makes environment-based configuration easy - if you don't want to send errors in a certain environment, just don't set the DSN in that environment!
# Set your SENTRY_DSN environment variable.
export SENTRY_DSN=http://public:secret@example.com/project-id
# Or you can configure the client in the code (not recommended - keep your DSN secret!)
Raven.configure do |config|
config.dsn = 'http://public:secret@example.com/project-id'
end
Raven ignores some exceptions by default - most of these are related to 404s or controller actions not being found. For a complete list, see the IGNORE_DEFAULT
constant.
Raven doesn't report POST data or cookies by default. In addition, it will attempt to remove any obviously sensitive data, such as credit card or Social Security numbers. For more information about how Sentry processes your data, check out the documentation on the processors
config setting.
If you use Rails, you're already done - no more configuration required! Check Integrations for more details on other gems Sentry integrates with automatically.
Otherwise, Raven supports two methods of capturing exceptions:
Raven.capture do
# capture any exceptions which happen during execution of this block
1 / 0
end
begin
1 / 0
rescue ZeroDivisionError => exception
Raven.capture_exception(exception)
end
You're all set - but there's a few more settings you may want to know about too!
When an error or message occurs, the notification is immediately sent to Sentry. Raven can be configured to send asynchronously:
config.async = lambda { |event|
Thread.new { Raven.send_event(event) }
}
Using a thread to send events will be adequate for truly parallel Ruby platforms such as JRuby, though the benefit on MRI/CRuby will be limited. If the async callback raises an exception, Raven will attempt to send synchronously.
Note that the naive example implementation has a major drawback - it can create an infinite number of threads. We recommend creating a background job, using your background job processor, that will send Sentry notifications in the background.
config.async = lambda { |event| SentryJob.perform_later(event) }
class SentryJob < ActiveJob::Base
queue_as :default
def perform(event)
Raven.send_event(event)
end
end
If Raven fails to send an event to Sentry for any reason (either the Sentry server has returned a 4XX or 5XX response), this Proc or lambda will be called.
config.transport_failure_callback = lambda { |event|
AdminMailer.email_admins("Oh god, it's on fire!", event).deliver_later
}
Much of the usefulness of Sentry comes from additional context data with the events. Raven makes this very convenient by providing methods to set thread local context data that is then submitted automatically with all events.
There are three primary methods for providing request context:
# bind the logged in user
Raven.user_context email: 'foo@example.com'
# tag the request with something interesting
Raven.tags_context interesting: 'yes'
# provide a bit of additional context
Raven.extra_context happiness: 'very'
For more information, see Context.
FAQs
Unknown package
We found that jones-gem demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.