Add argument filtering to PerfettoTrace

rmosolgo · rmosolgo · commit dc911934a1b3 · 2026-02-04T15:52:06.000-05:00
diff --git a/lib/graphql/tracing/perfetto_trace.rb b/lib/graphql/tracing/perfetto_trace.rb
@@ -91,6 +91,22 @@ def initialize(active_support_notifications_pattern: nil, save_profile: false, *
           ctx_debug
         end
 
+        @arguments_filter = if (ctx = query&.context) && (dtf = ctx[:detailed_trace_filter])
+          dtf
+        elsif defined?(ActiveSupport)
+          fp = if defined?(Rails) && Rails.application && (app_config = Rails.application.config.filter_parameters)
+            app_config
+          elsif ActiveSupport.respond_to?(:filter_parameters)
+            ActiveSupport.filter_parameters
+          else
+            []
+          end
+          as_param_filter = ActiveSupport::ParameterFilter.new(fp, mask: ArgumentsFilter::FILTERED)
+          ActiveSupportArgumentsFilter.new(as_param_filter)
+        else
+          ArgumentsFilter.new
+        end
+
         Fiber[:graphql_flow_stack] = nil
         @sequence_id = object_id
         @pid = Process.pid
@@ -255,7 +271,7 @@ def end_execute_field(field, object, arguments, query, app_result)
           start_field.track_event = dup_with(start_field.track_event,{
             debug_annotations: [
                 payload_to_debug(nil, object.object, iid: DA_OBJECT_IID, intern_value: true),
-                payload_to_debug(nil, arguments, iid: DA_ARGUMENTS_IID),
+                payload_to_debug(nil, filter_arguments(arguments), iid: DA_ARGUMENTS_IID),
                 payload_to_debug(nil, app_result, iid: DA_RESULT_IID, intern_value: true)
               ]
             })
@@ -590,6 +606,86 @@ def fid
         Fiber.current.object_id
       end
 
+      def filter_arguments(args)
+        @arguments_filter.filter(args)
+      end
+
+      class ActiveSupportArgumentsFilter
+        def initialize(parameter_filter)
+          @parameter_filter = parameter_filter
+        end
+
+        def filter(args)
+          args_h = remove_wrappers(args)
+          @parameter_filter.filter(args_h)
+        end
+
+        private
+
+        def remove_wrappers(args)
+          case args
+          when Array
+            args.map { |a| remove_wrappers(a)}
+          when Hash
+            args2 = args.dup
+            args.each do |k, v|
+              args2[k] = remove_wrappers(v)
+            end
+            args2
+          when GraphQL::Schema::InputObject
+            args_h = args.to_h
+            args_h.each do |k, v|
+              args_h[k] = remove_wrappers(v)
+            end
+            args_h
+          else
+            args
+          end
+        end
+      end
+
+      class ArgumentsFilter
+        # From Rails defaults
+        # https://github.com/rails/rails/blob/main/railties/lib/rails/generators/rails/app/templates/config/initializers/filter_parameter_logging.rb.tt#L6-L8
+        SENSITIVE_KEY = /passw|token|crypt|email|_key|salt|certificate|secret|ssn|cvv|cvc|otp/i
+        FILTERED = "[FILTERED]"
+
+        def filter(argument)
+          case argument
+          when GraphQL::Schema::InputObject
+            filter(argument.to_h)
+          when Hash
+            target_h = nil
+            argument.each do |k, v|
+              if (k.is_a?(String) && SENSITIVE_KEY.match?(k)) ||
+                  (k.is_a?(Symbol) && SENSITIVE_KEY.match?(k.name))
+                target_h ||= argument.dup
+                target_h[k] = FILTERED
+              else
+                new_v = filter(v)
+                if !v.equal?(new_v)
+                  target_h ||= argument.dup
+                  target_h[k] = new_v
+                end
+              end
+            end
+            target_h || argument
+          when Array
+            target_arr = nil
+            argument.each_with_index do |inner_v, i|
+              new_v = filter(inner_v)
+              if !inner_v.equal?(new_v)
+                target_arr ||= argument.dup
+                target_arr[i] = new_v
+              end
+            end
+            target_arr || argument
+          else
+            argument
+          end
+        end
+      end
+
       def debug_annotation(iid, value_key, value)
         if iid
           DebugAnnotation.new(name_iid: iid, value_key => value)
diff --git a/spec/graphql/tracing/perfetto_trace_spec.rb b/spec/graphql/tracing/perfetto_trace_spec.rb
@@ -105,6 +105,20 @@ def thing(id:)
         def crash
           raise "Crash the query"
         end
+
+        class SecretInput < GraphQL::Schema::InputObject
+          argument :password, String
+        end
+
+        field :secret_field, String do
+          argument :cipher, String, required: false
+          argument :password, String, required: false
+          argument :input, [[SecretInput]], required: false
+        end
+
+        def secret_field(cipher: nil, password: nil, input: nil)
+          cipher || password || input[0][0][:password]
+        end
       end
 
       query(Query)
@@ -159,6 +173,43 @@ def self.detailed_trace?(q)
       check_snapshot(data, "example-rails-#{Rails::VERSION::MAJOR}-#{Rails::VERSION::MINOR}.json")
     end
 
+    it "filters params with ActiveSupport" do
+      query_str = 'query getStuff { secretField(cipher: "abcdef") }'
+      res = PerfettoSchema.execute(query_str, validate: false)
+      json = res.context.query.current_trace.write(file: nil, debug_json: true)
+      assert_includes json, "abcdef"
+      refute_includes json, "FILTERED"
+
+      prev_fp = ActiveSupport.filter_parameters
+      ActiveSupport.filter_parameters = ["cipher"]
+      res = PerfettoSchema.execute(query_str)
+      json = res.context.query.current_trace.write(file: nil, debug_json: true)
+      refute_includes json, "abcdef"
+      assert_includes json, "[FILTERED]"
+
+      ActiveSupport.filter_parameters = ["password"]
+      res = PerfettoSchema.execute('query getStuff { secretField(input: [[{ password: "jklmn" }]]) }')
+      json = res.context.query.current_trace.write(file: nil, debug_json: true)
+      refute json.include?("jklmn"), "Value is removed"
+      assert_includes json, "[FILTERED]"
+    ensure
+      ActiveSupport.filter_parameters = prev_fp
+    end
+
+    it "filters params without ActiveSupport" do
+      query_str = 'query getStuff { secretField(password: "qrstuv") }'
+      res = PerfettoSchema.execute(query_str, context: { detailed_trace_filter: GraphQL::Tracing::PerfettoTrace::ArgumentsFilter.new })
+      json = res.context.query.current_trace.write(file: nil, debug_json: true)
+      assert_includes json, "[FILTERED]"
+      refute_includes json, "qrstuv"
+
+      query_str = 'query getStuff { secretField(input: [[{ password: "lmnop" }]]) }'
+      res = PerfettoSchema.execute(query_str, context: { detailed_trace_filter: GraphQL::Tracing::PerfettoTrace::ArgumentsFilter.new })
+      json = res.context.query.current_trace.write(file: nil, debug_json: true)
+      refute json.include?("lmnop"), "The password is obscured"
+      assert json.include?("[FILTERED]"), "The replacement string is present"
+    end
+
     it "provides an error when google-protobuf isn't available" do
       stderr_and_stdout, _status = Open3.capture2e(%|ruby -e 'require "bundler/inline"; gemfile(true) { source("https://rubygems.org"); gem("graphql", path: "./") }; class MySchema < GraphQL::Schema; trace_with(GraphQL::Tracing::PerfettoTrace); end;'|)
       assert_includes stderr_and_stdout, "GraphQL::Tracing::PerfettoTrace can't be used because the `google-protobuf` gem wasn't available. Add it to your project, then try again."
