fix(wsgi): Gate url.full, url.path, and http.query behind send_default_pii#6654
fix(wsgi): Gate url.full, url.path, and http.query behind send_default_pii#6654ericapisani wants to merge 1 commit into
Conversation
…t_pii The url.full, url.path, and http.query span attributes can contain user-provided query parameters and paths that may include PII. Gate these behind the send_default_pii setting, consistent with how client.address is handled. Fixes PY-2552 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Codecov Results 📊✅ 89197 passed | ❌ 6 failed | ⏭️ 6185 skipped | Total: 95388 | Pass Rate: 93.51% | Execution Time: 322m 24s 📊 Comparison with Base Branch
➕ New Tests (6)View new tests
❌ Failed Tests
|
| File | Patch % | Lines |
|---|---|---|
| sentry_sdk/integrations/wsgi.py | 100.00% |
Coverage diff
@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 89.89% 89.89% —%
==========================================
Files 192 192 —
Lines 23763 23766 +3
Branches 8206 8208 +2
==========================================
+ Hits 21360 21363 +3
- Misses 2403 2403 —
- Partials 1343 1345 +2Generated by Codecov Action
| envelope = events[0] | ||
|
|
||
| assert envelope["type"] == "transaction" | ||
| assert envelope["transaction"] == "generic WSGI request" | ||
| assert envelope["contexts"]["trace"]["op"] == "http.server" | ||
| assert envelope["request"] == DictionaryContaining( | ||
| {"method": "GET", "url": "http://localhost/dogs/are/great/"} | ||
| { | ||
| "method": "GET", | ||
| "url": "http://localhost/dogs/are/great", | ||
| "query_string": "toy=tennisball", | ||
| } |
There was a problem hiding this comment.
Bug: The WSGI integration leaks PII in non-streaming transaction events by unconditionally adding url and query_string, even when send_default_pii is False.
Severity: HIGH
Suggested Fix
In the _make_wsgi_event_processor function, wrap the assignments for request_info["url"] and request_info["query_string"] in a conditional check for should_send_default_pii(). This will ensure that PII is consistently redacted across both streaming and non-streaming code paths, respecting the user's setting.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: tests/integrations/wsgi/test_wsgi.py#L265-L276
Potential issue: The WSGI integration aims to prevent sending Personally Identifiable
Information (PII) when `send_default_pii` is `False`. While the change correctly redacts
PII for span attributes in the streaming path (`_get_request_attributes`), it fails to
do so for the non-streaming transaction event path. The `_make_wsgi_event_processor`
function unconditionally sets `request["url"]` and `request["query_string"]` on the
event. This results in an inconsistent behavior where users who set
`send_default_pii=False` will still have unredacted URLs and query strings sent in
transaction events if they are not using the span streaming path, leading to an
unintended PII leak.
Did we get this right? 👍 / 👎 to inform future reviews.
The WSGI integration now gates
url.full,url.path, andhttp.queryspan attributes behindsend_default_pii, consistent with howclient.addressis already handled. These attributes can contain user-provided query parameters and path segments that may include PII, so they should not be captured by default.Fixes PY-2552
Fixes #6653