fix(pii): Add private keys as secret key name

[untitaker]

https://twitter.com/MoonRankNFT/status/1554911833617641472/photo/1

Its been reported that someone was - likely accidentally - sending a private key to their Sentry instance. There's not a great use case to allow storing that kind of value, so we are adding it to our default blocklists.

The hashes and "mnemonic" seem not very useful for pattern matching, but
we can at least filter out the string if it contains the word
"privatekey" (case-insensitive)

[lucas-zimerman]

@untitaker mnemonic is the seed that's used to generate the private key (that was also included on the payload).
Would you mind if I add that on another PR?

[untitaker]

@lucas-zimerman how? I didn't see any pattern there we could detect. But yeah if you have an idea feel free to send a PR

[untitaker]

also btw keep in mind. with this PR, the entire json string will be deleted anyway, because it contains private_key

[lucas-zimerman]

@lucas-zimerman how? I didn't see any pattern there we could detect. But yeah if you have an idea feel free to send a PR

Basically the mnemonic phrase, is made up of 12, 18, or 24 words, based on BIP39,. TL;DR It can be used to generate a Private key.

also btw keep in mind. with this PR, the entire json string will be deleted anyway, because it contains private_key

Indeed, The entire json string will be removed ,but the user could remove the private_key and keep the mnemonic on the payload, leading to the private key leak.

[untitaker]

Basically the mnemonic phrase, is made up of 12, 18, or 24 words, based on BIP39,. TL;DR It can be used to generate a Private key.

I see, so there's a standard with predefined words. I think if you want to put up a PR for this feel free to. I suspect the regex will be large and imperformant.

We could denylist the word mnemonic as well 🤔