Make New() and Wrap() consider their string as PII-free

**THIS IS A BREAKING CHANGE.**

The `errors.New()`, `errors.NewWithDepth()`, `errors.Wrap()` and
`errors.WrapWithDepth()` now consider their string argument as
PII-free, and the string is now also included in Sentry reports.

This is a breaking change: in previous versions, only the format
argument to `errors.Newf`, `errors.Wrapf` etc was considered to be
PII-free.

This also means that **care must be taken when using this `errors`
library as drop-in replacement for other errors libraries**: callers
that use `New()` and `Wrap()` directly must be audited to ensure that
they indeed pass strings that are safe for reporting to Sentry.

This can be enforced e.g. via linters that assert that the argument is
a literal (constant) string. This is the approach taken e.g. in
CockroachDB.

Author: knz

README.md

@@ -75,8 +75,8 @@ older version of the package.
 
 | Error detail                                                    | `Error()` and format `%s`/`%q`/`%v` | format `%+v` | `GetSafeDetails()`            | Sentry report via `ReportError()` |
 |-----------------------------------------------------------------|-------------------------------------|--------------|-------------------------------|-----------------------------------|
-| main message, eg `New()`                                        | visible                             | visible      | redacted                      | redacted                          |
-| wrap prefix, eg `WithMessage()`                                 | visible (as prefix)                 | visible      | redacted                      | redacted                          |
+| main message, eg `New()`                                        | visible                             | visible      | yes (CHANGED IN v1.6)         | full (CHANGED IN v1.6)            |
+| wrap prefix, eg `WithMessage()`                                 | visible (as prefix)                 | visible      | yes (CHANGED IN v1.6)         | full (CHANGED IN v1.6)            |
 | stack trace, eg `WithStack()`                                   | not visible                         | simplified   | yes                           | full                              |
 | hint , eg `WithHint()`                                          | not visible                         | visible      | no                            | type only                         |
 | detail, eg `WithDetail()`                                       | not visible                         | visible      | no                            | type only                         |
@@ -98,7 +98,7 @@ method.
 - `New(string) error`, `Newf(string, ...interface{}) error`, `Errorf(string, ...interface{}) error`: leaf errors with message
   - **when to use: common error cases.**
   - what it does: also captures the stack trace at point of call and redacts the provided message for safe reporting.
-  - how to access the detail: `Error()`, regular Go formatting. Details redacted in Sentry report.
+  - how to access the detail: `Error()`, regular Go formatting. **Details in Sentry report.**
   - see also: Section [Error composition](#Error-composition-summary) below. `errors.NewWithDepth()` variants to customize at which call depth the stack trace is captured.
 
 - `AssertionFailedf(string, ...interface{}) error`, `NewAssertionFailureWithWrappedErrf(error, string, ...interface{}) error`: signals an assertion failure / programming error.
@@ -141,7 +141,7 @@ return errors.Wrap(foo(), "foo")
 - `Wrap(error, string) error`, `Wrapf(error, string, ...interface{}) error`:
   - **when to use: on error return paths.**
   - what it does: combines `WithMessage()`, `WithStack()`, `WithSafeDetails()`.
-  - how to access the details: `Error()`, regular Go formatting. Details redacted in Sentry report.
+  - how to access the details: `Error()`, regular Go formatting. **Details in Sentry report.**
   - see also: Section [Error composition](#Error-composition-summary) below. `WrapWithDepth()` variants to customize at which depth the stack trace is captured.
 
 - `WithSecondaryError(error, error) error`: annotate an error with a secondary error.

errutil/fmt_wrap_test.go

@@ -52,17 +52,19 @@ func TestErrorWrap(t *testing.T) {
   | github.com/cockroachdb/errors/errutil_test.TestErrorWrap
   | <tab><path>
   | [...repeated from below...]
-Wraps: (2) woo
-Wraps: (3) hello
-Wraps: (4) attached stack trace
+Wraps: (2) 1 safe detail enclosed
+Wraps: (3) woo
+Wraps: (4) hello
+Wraps: (5) attached stack trace
   | github.com/cockroachdb/errors/errutil_test.TestErrorWrap
   | <tab><path>
   | testing.tRunner
   | <tab><path>
   | runtime.goexit
   | <tab><path>
-Wraps: (5) world
-Error types: (1) *withstack.withStack (2) *errutil.withMessage (3) *fmt.wrapError (4) *withstack.withStack (5) *errors.errorString`},
+Wraps: (6) 1 safe detail enclosed
+Wraps: (7) world
+Error types: (1) *withstack.withStack (2) *safedetails.withSafeDetails (3) *errutil.withMessage (4) *fmt.wrapError (5) *withstack.withStack (6) *safedetails.withSafeDetails (7) *errors.errorString`},
 
 		{"new wrap err",
 			errutil.Newf("hello: %w", baseErr),
@@ -81,8 +83,9 @@ Wraps: (4) attached stack trace
   | <tab><path>
   | runtime.goexit
   | <tab><path>
-Wraps: (5) world
-Error types: (1) *withstack.withStack (2) *safedetails.withSafeDetails (3) *fmt.wrapError (4) *withstack.withStack (5) *errors.errorString`},
+Wraps: (5) 1 safe detail enclosed
+Wraps: (6) world
+Error types: (1) *withstack.withStack (2) *safedetails.withSafeDetails (3) *fmt.wrapError (4) *withstack.withStack (5) *safedetails.withSafeDetails (6) *errors.errorString`},
 	}
 
 	for _, test := range testCases {

errutil/utilities.go

@@ -25,11 +25,16 @@ import (
 // New creates an error with a simple error message.
 // A stack trace is retained.
 //
+// Note: the message string is assumed to not contain
+// PII and is included in Sentry reports.
+// Use errors.Newf("%s", <unsafestring>) for errors
+// strings that may contain PII information.
+//
 // Detail output:
 // - message via `Error()` and formatting using `%v`/`%s`/`%q`.
 // - everything when formatting with `%+v`.
-// - stack trace (not message) via `errors.GetSafeDetails()`.
-// - stack trace (not message) in Sentry reports.
+// - stack trace and message via `errors.GetSafeDetails()`.
+// - stack trace and message in Sentry reports.
 func New(msg string) error {
 	return NewWithDepth(1, msg)
 }
@@ -39,12 +44,21 @@ func New(msg string) error {
 // See the doc of `New()` for more details.
 func NewWithDepth(depth int, msg string) error {
 	err := goErr.New(msg)
+	if len(msg) > 0 {
+		err = safedetails.WithSafeDetails(err, msg)
+	}
 	err = withstack.WithStackDepth(err, 1+depth)
 	return err
 }
 
 // Newf creates an error with a formatted error message.
 // A stack trace is retained.
+//
+// Note: the format string is assumed to not contain
+// PII and is included in Sentry reports.
+// Use errors.Newf("%s", <unsafestring>) for errors
+// strings that may contain PII information.
+//
 // See the doc of `New()` for more details.
 func Newf(format string, args ...interface{}) error {
 	return NewWithDepthf(1, format, args...)
@@ -65,11 +79,16 @@ func NewWithDepthf(depth int, format string, args ...interface{}) error {
 // Wrap wraps an error with a message prefix.
 // A stack trace is retained.
 //
+// Note: the prefix string is assumed to not contain
+// PII and is included in Sentry reports.
+// Use errors.Wrapf(err, "%s", <unsafestring>) for errors
+// strings that may contain PII information.
+//
 // Detail output:
 // - original error message + prefix via `Error()` and formatting using `%v`/`%s`/`%q`.
 // - everything when formatting with `%+v`.
-// - stack trace (not message) via `errors.GetSafeDetails()`.
-// - stack trace (not message) in Sentry reports.
+// - stack trace and message via `errors.GetSafeDetails()`.
+// - stack trace and message in Sentry reports.
 func Wrap(err error, msg string) error {
 	return WrapWithDepth(1, err, msg)
 }
@@ -80,6 +99,7 @@ func Wrap(err error, msg string) error {
 func WrapWithDepth(depth int, err error, msg string) error {
 	if msg != "" {
 		err = WithMessage(err, msg)
+		err = safedetails.WithSafeDetails(err, msg)
 	}
 	err = withstack.WithStackDepth(err, depth+1)
 	return err
@@ -89,11 +109,16 @@ func WrapWithDepth(depth int, err error, msg string) error {
 // trace is also retained. If the format is empty, no prefix is added,
 // but the extra arguments are still processed for reportable strings.
 //
+// Note: the format string is assumed to not contain
+// PII and is included in Sentry reports.
+// Use errors.Wrapf(err, "%s", <unsafestring>) for errors
+// strings that may contain PII information.
+//
 // Detail output:
 // - original error message + prefix via `Error()` and formatting using `%v`/`%s`/`%q`.
 // - everything when formatting with `%+v`.
-// - stack trace (not message) and redacted details via `errors.GetSafeDetails()`.
-// - stack trace (not message) and redacted details in Sentry reports.
+// - stack trace, format, and redacted details via `errors.GetSafeDetails()`.
+// - stack trace, format, and redacted details in Sentry reports.
 func Wrapf(err error, format string, args ...interface{}) error {
 	return WrapWithDepthf(1, err, format, args...)
 }