Scrub sensitive paths and emails from deploy telemetry error messages

shreyas-goenka · shreyas-goenka · commit 36d67ed6e6f1 · 2026-03-26T18:15:06.000+01:00
Adds a scrubber that runs before error messages are sent to telemetry: 1. Replaces the bundle root path with "." to avoid leaking local paths 2. Redacts remaining home directory paths (/Users/..., /home/..., C:\Users\...) 3. Redacts email addresses (e.g., in workspace paths) Inspired by VS Code's telemetry path scrubbing and Sentry's @userpath rule. Co-authored-by: Isaac
diff --git a/bundle/phases/telemetry.go b/bundle/phases/telemetry.go
@@ -9,6 +9,7 @@ import (
 	"github.com/databricks/cli/bundle/config"
 	"github.com/databricks/cli/bundle/libraries"
 	"github.com/databricks/cli/libs/dyn"
+	"github.com/databricks/cli/libs/env"
 	"github.com/databricks/cli/libs/log"
 	"github.com/databricks/cli/libs/telemetry"
 	"github.com/databricks/cli/libs/telemetry/protos"
@@ -38,6 +39,9 @@ const maxErrorMessageLength = 500
 
 // LogDeployTelemetry logs a telemetry event for a bundle deploy command.
 func LogDeployTelemetry(ctx context.Context, b *bundle.Bundle, errMsg string) {
+	homeDir, _ := env.UserHomeDir(ctx)
+	errMsg = scrubForTelemetry(errMsg, b.BundleRootPath, homeDir)
+
 	if len(errMsg) > maxErrorMessageLength {
 		errMsg = errMsg[:maxErrorMessageLength]
 	}
diff --git a/bundle/phases/telemetry_scrub.go b/bundle/phases/telemetry_scrub.go
@@ -0,0 +1,131 @@
+package phases
+
+import (
+	"path/filepath"
+	"regexp"
+	"strings"
+)
+
+// Scrub sensitive information from error messages before sending to telemetry.
+// Inspired by VS Code's telemetry path scrubbing and Sentry's @userpath pattern.
+//
+// References:
+// - VS Code: https://github.com/microsoft/vscode/blob/main/src/vs/platform/telemetry/common/telemetryUtils.ts
+// - Sentry: https://github.com/getsentry/relay (PII rule: @userpath)
+var (
+	// Matches home directory paths on macOS and Linux.
+	// The leading delimiter check avoids matching workspace paths like
+	// /Workspace/Users/... where /Users is not a top-level component.
+	unixHomeDirRegexp = regexp.MustCompile(`(?:^|[\s:,"'])(/(?:Users|home)/[^\s:,"']+)`)
+
+	// Matches home directory paths on Windows with either backslashes or
+	// forward slashes (C:\Users\xxx\... or C:/Users/xxx/...).
+	windowsHomeDirRegexp = regexp.MustCompile(`[A-Z]:[/\\]Users[/\\][^\s:,"']+`)
+
+	// Matches remaining absolute Unix paths with at least two components
+	// (e.g., /tmp/foo, /var/folders/xx/..., /etc/databricks/...).
+	// Safe prefixes (/Workspace, /Volumes, /dbfs) are filtered in the
+	// replacement function since Go regexp lacks negative lookahead.
+	remainingAbsPathRegexp = regexp.MustCompile(`(?:^|[\s:,"'])(/[^\s:,"'/]+/[^\s:,"']+)`)
+
+	// Matches email addresses. Workspace paths in Databricks often contain
+	// emails (e.g., /Workspace/Users/user@example.com/.bundle/dev).
+	emailRegexp = regexp.MustCompile(`[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}`)
+)
+
+// scrubForTelemetry is a best-effort scrubber that removes sensitive path and
+// PII information from error messages before they are sent to telemetry.
+// The error message is treated as PII by the logging infrastructure but we
+// scrub to avoid collecting more information than necessary.
+func scrubForTelemetry(msg, bundleRoot, homeDir string) string {
+	// Replace the bundle root path first since it's the most specific match.
+	// This turns "/Users/shreyas/project/databricks.yml" into "./databricks.yml".
+	if bundleRoot != "" {
+		msg = replacePath(msg, bundleRoot, ".")
+	}
+
+	// Replace the user's home directory. This catches paths outside the
+	// bundle root like "/Users/shreyas/.databricks/..." → "~/.databricks/...".
+	if homeDir != "" {
+		msg = replacePath(msg, homeDir, "~")
+	}
+
+	// Regex fallback: redact remaining home directory paths not covered by the
+	// direct home dir replacement above (e.g., paths from other users or
+	// non-standard home directory locations).
+	// Run Windows first to avoid partial matches from the Unix regex on
+	// paths like C:/Users/...
+	msg = windowsHomeDirRegexp.ReplaceAllString(msg, "[REDACTED_HOME_PATH]")
+	msg = replaceUnixRegexpMatch(msg, unixHomeDirRegexp, "[REDACTED_HOME_PATH]")
+
+	// Catch-all: redact any remaining absolute paths (e.g., /tmp/...,
+	// /var/folders/...) that weren't covered by the above replacements.
+	// Skip known safe prefixes like /Workspace, /Volumes, /dbfs.
+	msg = remainingAbsPathRegexp.ReplaceAllStringFunc(msg, func(match string) string {
+		idx := strings.Index(match, "/")
+		if idx < 0 {
+			return match
+		}
+		path := match[idx:]
+		for _, prefix := range []string{"/Workspace/", "/Volumes/", "/dbfs/"} {
+			if strings.HasPrefix(path, prefix) {
+				return match
+			}
+		}
+		return match[:idx] + "[REDACTED_PATH]"
+	})
+
+	// Redact email addresses.
+	msg = emailRegexp.ReplaceAllString(msg, "[REDACTED_EMAIL]")
+
+	return msg
+}
+
+// replacePath replaces all occurrences of a directory path with the given
+// replacement. It only replaces when the path appears as a complete prefix,
+// i.e., followed by `/`, a delimiter, or end of string. This prevents partial
+// matches like "/Users/shreyas" matching inside "/Workspace/Users/shreyas@...".
+func replacePath(msg, path, replacement string) string {
+	normalized := filepath.ToSlash(path)
+	for _, p := range []string{normalized, path} {
+		msg = strings.ReplaceAll(msg, p+"/", replacement+"/")
+
+		// Replace occurrences not followed by '/' only when the path is at
+		// a word boundary (followed by delimiter or end of string).
+		result := strings.Builder{}
+		for {
+			idx := strings.Index(msg, p)
+			if idx == -1 {
+				result.WriteString(msg)
+				break
+			}
+			after := idx + len(p)
+			// Check the character after the match. Only replace if it's
+			// a delimiter or end of string.
+			if after == len(msg) || strings.ContainsRune(" \t\n:,\"'", rune(msg[after])) {
+				result.WriteString(msg[:idx])
+				result.WriteString(replacement)
+				msg = msg[after:]
+			} else {
+				result.WriteString(msg[:after])
+				msg = msg[after:]
+			}
+		}
+		msg = result.String()
+	}
+	return msg
+}
+
+// replaceUnixRegexpMatch replaces Unix absolute paths matched by the given
+// regex. The regex is expected to use a leading delimiter group
+// `(?:^|[\s:,"'])` to anchor the match. The delimiter is preserved and only
+// the path portion (starting with `/`) is replaced.
+func replaceUnixRegexpMatch(msg string, re *regexp.Regexp, replacement string) string {
+	return re.ReplaceAllStringFunc(msg, func(match string) string {
+		idx := strings.Index(match, "/")
+		if idx < 0 {
+			return match
+		}
+		return match[:idx] + replacement
+	})
+}
diff --git a/bundle/phases/telemetry_scrub_test.go b/bundle/phases/telemetry_scrub_test.go
@@ -0,0 +1,238 @@
+package phases
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestScrubForTelemetry_BundleRootPath(t *testing.T) {
+	tests := []struct {
+		name       string
+		msg        string
+		bundleRoot string
+		expected   string
+	}{
+		{
+			name:       "replaces bundle root in file path",
+			msg:        "failed to load /home/user/project/databricks.yml: invalid config",
+			bundleRoot: "/home/user/project",
+			expected:   "failed to load ./databricks.yml: invalid config",
+		},
+		{
+			name:       "replaces bundle root without trailing content",
+			msg:        "error at /home/user/project",
+			bundleRoot: "/home/user/project",
+			expected:   "error at .",
+		},
+		{
+			name:       "replaces multiple occurrences",
+			msg:        "path /home/user/project/a.yml and /home/user/project/b.yml",
+			bundleRoot: "/home/user/project",
+			expected:   "path ./a.yml and ./b.yml",
+		},
+		{
+			name:       "empty bundle root is no-op",
+			msg:        "some error",
+			bundleRoot: "",
+			expected:   "some error",
+		},
+		{
+			name:       "empty message",
+			msg:        "",
+			bundleRoot: "/home/user/project",
+			expected:   "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, scrubForTelemetry(tt.msg, tt.bundleRoot, ""))
+		})
+	}
+}
+
+func TestScrubForTelemetry_HomeDir(t *testing.T) {
+	tests := []struct {
+		name     string
+		msg      string
+		homeDir  string
+		expected string
+	}{
+		{
+			name:     "replaces home dir with tilde",
+			msg:      "failed to read /Users/shreyas/.databricks/config.json",
+			homeDir:  "/Users/shreyas",
+			expected: "failed to read ~/.databricks/config.json",
+		},
+		{
+			name:     "home dir replacement after bundle root",
+			msg:      "error: /Users/shreyas/project/file.yml and /Users/shreyas/.cache/other",
+			homeDir:  "/Users/shreyas",
+			expected: "error: ~/project/file.yml and ~/.cache/other",
+		},
+		{
+			name:     "bundle root takes priority over home dir",
+			msg:      "error at /Users/shreyas/project/databricks.yml",
+			homeDir:  "/Users/shreyas",
+			expected: "error at ./databricks.yml",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			bundleRoot := ""
+			if tt.name == "bundle root takes priority over home dir" {
+				bundleRoot = "/Users/shreyas/project"
+			}
+			assert.Equal(t, tt.expected, scrubForTelemetry(tt.msg, bundleRoot, tt.homeDir))
+		})
+	}
+}
+
+func TestScrubForTelemetry_HomeDirRegexFallback(t *testing.T) {
+	tests := []struct {
+		name     string
+		msg      string
+		expected string
+	}{
+		{
+			name:     "macOS home dir",
+			msg:      "failed to read /Users/otheruser/some-project/file.yml",
+			expected: "failed to read [REDACTED_HOME_PATH]",
+		},
+		{
+			name:     "Linux home dir",
+			msg:      "failed to read /home/runner/work/project/file.yml",
+			expected: "failed to read [REDACTED_HOME_PATH]",
+		},
+		{
+			name:     "home dir in middle of message",
+			msg:      "error: /Users/jane/project/a.yml: not found, try again",
+			expected: "error: [REDACTED_HOME_PATH]: not found, try again",
+		},
+		{
+			name:     "Windows home dir with backslashes",
+			msg:      `error at C:\Users\shreyas\project\file.yml`,
+			expected: "error at [REDACTED_HOME_PATH]",
+		},
+		{
+			name:     "Windows home dir with forward slashes",
+			msg:      "error at C:/Users/shreyas/project/file.yml",
+			expected: "error at [REDACTED_HOME_PATH]",
+		},
+		{
+			name:     "preserves relative paths",
+			msg:      "failed to load ./resources/job.yml",
+			expected: "failed to load ./resources/job.yml",
+		},
+		{
+			name:     "preserves workspace paths without email",
+			msg:      "uploading to /Workspace/.bundle/dev/files",
+			expected: "uploading to /Workspace/.bundle/dev/files",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, scrubForTelemetry(tt.msg, "", ""))
+		})
+	}
+}
+
+func TestScrubForTelemetry_RemainingAbsolutePaths(t *testing.T) {
+	tests := []struct {
+		name     string
+		msg      string
+		expected string
+	}{
+		{
+			name:     "tmp path",
+			msg:      "failed to write /tmp/bundle-xyz/state.json",
+			expected: "failed to write [REDACTED_PATH]",
+		},
+		{
+			name:     "var folders path",
+			msg:      "error reading /var/folders/7t/n_tz6x9d4xj91h48pf8md5zh0000gp/T/test123/file",
+			expected: "error reading [REDACTED_PATH]",
+		},
+		{
+			name:     "etc path",
+			msg:      "config at /etc/databricks/config.json not found",
+			expected: "config at [REDACTED_PATH] not found",
+		},
+		{
+			name:     "preserves workspace paths",
+			msg:      "uploading to /Workspace/Users/dev/.bundle/files",
+			expected: "uploading to /Workspace/Users/dev/.bundle/files",
+		},
+		{
+			name:     "preserves volume paths",
+			msg:      "artifact at /Volumes/catalog/schema/volume/artifact.whl",
+			expected: "artifact at /Volumes/catalog/schema/volume/artifact.whl",
+		},
+		{
+			name:     "preserves dbfs paths",
+			msg:      "state at /dbfs/mnt/data/state.json",
+			expected: "state at /dbfs/mnt/data/state.json",
+		},
+		{
+			name:     "single component path is not matched",
+			msg:      "POST /telemetry-ext failed",
+			expected: "POST /telemetry-ext failed",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, scrubForTelemetry(tt.msg, "", ""))
+		})
+	}
+}
+
+func TestScrubForTelemetry_Emails(t *testing.T) {
+	tests := []struct {
+		name     string
+		msg      string
+		expected string
+	}{
+		{
+			name:     "email in workspace path",
+			msg:      "/Workspace/Users/user@example.com/.bundle/dev should contain current username",
+			expected: "/Workspace/Users/[REDACTED_EMAIL]/.bundle/dev should contain current username",
+		},
+		{
+			name:     "plain email",
+			msg:      "access denied for user@company.io",
+			expected: "access denied for [REDACTED_EMAIL]",
+		},
+		{
+			name:     "no email present",
+			msg:      "some error without emails",
+			expected: "some error without emails",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, scrubForTelemetry(tt.msg, "", ""))
+		})
+	}
+}
+
+func TestScrubForTelemetry_Combined(t *testing.T) {
+	msg := "failed to load /Users/shreyas/myproject/databricks.yml: " +
+		"workspace /Workspace/Users/shreyas@databricks.com/.bundle is invalid, " +
+		"also tried /home/other/fallback/config.yml, " +
+		"temp at /tmp/bundle-cache/state.json"
+
+	got := scrubForTelemetry(msg, "/Users/shreyas/myproject", "/Users/shreyas")
+
+	assert.Equal(t,
+		"failed to load ./databricks.yml: "+
+			"workspace /Workspace/Users/[REDACTED_EMAIL]/.bundle is invalid, "+
+			"also tried [REDACTED_HOME_PATH], "+
+			"temp at [REDACTED_PATH]",
+		got,
+	)
+}
