Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency sentry-sdk to v2 [SECURITY] #163

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 3, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sentry-sdk (changelog) 0.10.2 -> 2.8.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-28117

Impact

When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.

The below must be true in order for these sensitive values to be leaked:

  1. Your Sentry SDK configuration has sendDefaultPII set to True
  2. You are using a custom name for either of the cookies below in your Django settings.
  1. You are not configured in your organization or project settings to use our data scrubbing features to account for the custom cookie names

Patches

As of version 1.14.0, the Django integration of the sentry-sdk will detect the custom cookie names based on your Django settings and will remove the values from the payload before sending the data to Sentry.

Workarounds

If you can not update your sentry-sdk to a patched version than you can use the SDKs filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events this can be done with the before_send callback method and for performance related events (transactions) you can use the before_send_transaction callback method.

If you'd like to handle filtering of these values on the server-side, you can also use our advanced data scrubbing feature to account for the custom cookie names. Look for the $http.cookies, $http.headers, $request.cookies, or $request.headers fields to target with your scrubbing rule.

References

Credits

CVE-2024-40647

Impact

The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.

Details

In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:

>>> subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'

If you'd want to not pass any variables, you can set an empty dict:

>>> subprocess.check_output(["env"], env={})
b''

However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.

Patches

The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:

  1. In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.

OR

  1. Disable Stdlib integration:
import sentry_sdk

# Should go before sentry_sdk.init
sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")

sentry_sdk.init(...)

References


Release Notes

getsentry/sentry-python (sentry-sdk)

v2.8.0

Compare Source

Various fixes & improvements

v2.7.1

Compare Source

Various fixes & improvements

v2.7.0

Compare Source

v2.6.0

Compare Source

v2.5.1

Compare Source

This change fixes a regression in our cron monitoring feature, which caused cron checkins not to be sent. The regression appears to have been introduced in version 2.4.0.

We recommend that all users, who use Cron monitoring and are currently running sentry-python ≥2.4.0, upgrade to this release as soon as possible!

Other fixes & improvements

v2.5.0

Compare Source

Various fixes & improvements
  • Allow to configure status codes to report to Sentry in Starlette and FastAPI (#​3008) by @​sentrivana

    By passing a new option to the FastAPI and Starlette integrations, you're now able to configure what
    status codes should be sent as events to Sentry. Here's how it works:

    from sentry_sdk.integrations.starlette import StarletteIntegration
    from sentry_sdk.integrations.fastapi import FastApiIntegration
    
    sentry_sdk.init(

...

  integrations=[
      StarletteIntegration(
          failed_request_status_codes=[403, range(500, 599)],
      ),
      FastApiIntegration(
          failed_request_status_codes=[403, range(500, 599)],
      ),
  ]

)


`failed_request_status_codes` expects a list of integers or containers (objects that allow membership checks via `in`)
of integers. Examples of valid `failed_request_status_codes`:

- `[500]` will only send events on HTTP 500.
- `[400, range(500, 599)]` will send events on HTTP 400 as well as the 500-599 range.
- `[500, 503]` will send events on HTTP 500 and 503.

The default is `[range(500, 599)]`.

See the [FastAPI](https://docs.sentry.io/platforms/python/integrations/fastapi/) and [Starlette](https://docs.sentry.io/platforms/python/integrations/starlette/) integration docs for more details.

- Support multiple keys with `cache_prefixes` (#&#8203;3136) by @&#8203;sentrivana
- Support integer Redis keys (#&#8203;3132) by @&#8203;sentrivana
- Update SDK version in CONTRIBUTING.md (#&#8203;3129) by @&#8203;sentrivana
- Bump actions/checkout from 4.1.4 to 4.1.5 (#&#8203;3067) by @&#8203;dependabot

v2.4.0

Compare Source

Various fixes & improvements

v2.3.1

Compare Source

Various fixes & improvements

v2.3.0

Compare Source

Various fixes & improvements

v2.2.1

Compare Source

Various fixes & improvements

v2.2.0

Compare Source

New features
  • Celery integration now sends additional data to Sentry to enable new features to guage the health of your queues
  • Added a new integration for Cohere
  • Reintroduced the last_event_id function, which had been removed in 2.0.0
Other fixes & improvements

v2.1.1

Compare Source

v2.1.0

Compare Source

v2.0.1

Compare Source

Various fixes & improvements

v2.0.0

Compare Source

This is the first major update in a long time!

We dropped support for some ancient languages and frameworks (Yes, Python 2.7 is no longer supported). Additionally we refactored a big part of the foundation of the SDK (how data inside the SDK is handled).

We hope you like it!

For a shorter version of what you need to do, to upgrade to Sentry SDK 2.0 see: https://docs.sentry.io/platforms/python/migration/1.x-to-2.x

New Features
  • Additional integrations will now be activated automatically if the SDK detects the respective package is installed: Ariadne, ARQ, asyncpg, Chalice, clickhouse-driver, GQL, Graphene, huey, Loguru, PyMongo, Quart, Starlite, Strawberry.
  • Added new API for custom instrumentation: new_scope, isolation_scope. See the Deprecated section to see how they map to the existing APIs.
Changed

(These changes are all backwards-incompatible. Breaking Change (if you are just skimming for that phrase))

  • The Pyramid integration will not capture errors that might happen in authenticated_userid() in a custom AuthenticationPolicy class.
  • The method need_code_loation of the MetricsAggregator was renamed to need_code_location.
  • The BackgroundWorker thread used to process events was renamed from raven-sentry.BackgroundWorker to sentry-sdk.BackgroundWorker.
  • The reraise function was moved from sentry_sdk._compat to sentry_sdk.utils.
  • The _ScopeManager was moved from sentry_sdk.hub to sentry_sdk.scope.
  • Moved the contents of tracing_utils_py3.py to tracing_utils.py. The start_child_span_decorator is now in sentry_sdk.tracing_utils.
  • The actual implementation of get_current_span was moved to sentry_sdk.tracing_utils. sentry_sdk.get_current_span is still accessible as part of the top-level API.
  • sentry_sdk.tracing_utils.add_query_source(): Removed the hub parameter. It is not necessary anymore.
  • sentry_sdk.tracing_utils.record_sql_queries(): Removed the hub parameter. It is not necessary anymore.
  • sentry_sdk.tracing_utils.get_current_span() does now take a scope instead of a hub as parameter.
  • sentry_sdk.tracing_utils.should_propagate_trace() now takes a Client instead of a Hub as first parameter.
  • sentry_sdk.utils.is_sentry_url() now takes a Client instead of a Hub as first parameter.
  • sentry_sdk.utils._get_contextvars does not return a tuple with three values, but a tuple with two values. The copy_context was removed.
  • If you create a transaction manually and later mutate the transaction in a configure_scope block this does not work anymore. Here is a recipe on how to change your code to make it work:
    Your existing implementation:
    transaction = sentry_sdk.transaction(...)

later in the code execution:

with sentry_sdk.configure_scope() as scope:
    scope.set_transaction_name("new-transaction-name")
```

needs to be changed to this:
```python
transaction = sentry_sdk.transaction(...)

later in the code execution:

scope = sentry_sdk.get_current_scope()
scope.set_transaction_name("new-transaction-name")
```
  • The classes listed in the table below are now abstract base classes. Therefore, they can no longer be instantiated. Subclasses can only be instantiated if they implement all of the abstract methods.

    Show table
    Class Abstract methods
    sentry_sdk.integrations.Integration setup_once
    sentry_sdk.metrics.Metric add, serialize_value, and weight
    sentry_sdk.profiler.Scheduler setup and teardown
    sentry_sdk.transport.Transport capture_envelope
Removed

(These changes are all backwards-incompatible. Breaking Change (if you are just skimming for that phrase))

  • Removed support for Python 2 and Python 3.5. The SDK now requires at least Python 3.6.
  • Removed support for Celery 3.*.
  • Removed support for Django 1.8, 1.9, 1.10.
  • Removed support for Flask 0.*.
  • Removed support for gRPC < 1.39.
  • Removed support for Tornado < 6.
  • Removed last_event_id() top level API. The last event ID is still returned by capture_event(), capture_exception() and capture_message() but the top level API sentry_sdk.last_event_id() has been removed.
  • Removed support for sending events to the /store endpoint. Everything is now sent to the /envelope endpoint. If you're on SaaS you don't have to worry about this, but if you're running Sentry yourself you'll need version 20.6.0 or higher of self-hosted Sentry.
  • The deprecated with_locals configuration option was removed. Use include_local_variables instead. See https://docs.sentry.io/platforms/python/configuration/options/#include-local-variables.
  • The deprecated request_bodies configuration option was removed. Use max_request_body_size. See https://docs.sentry.io/platforms/python/configuration/options/#max-request-body-size.
  • Removed support for user.segment. It was also removed from the trace header as well as from the dynamic sampling context.
  • Removed support for the install method for custom integrations. Please use setup_once instead.
  • Removed sentry_sdk.tracing.Span.new_span. Use sentry_sdk.tracing.Span.start_child instead.
  • Removed sentry_sdk.tracing.Transaction.new_span. Use sentry_sdk.tracing.Transaction.start_child instead.
  • Removed support for creating transactions via sentry_sdk.tracing.Span(transaction=...). To create a transaction, please use sentry_sdk.tracing.Transaction(name=...).
  • Removed sentry_sdk.utils.Auth.store_api_url.
  • sentry_sdk.utils.Auth.get_api_url's now accepts a sentry_sdk.consts.EndpointType enum instead of a string as its only parameter. We recommend omitting this argument when calling the function, since the parameter's default value is the only possible sentry_sdk.consts.EndpointType value. The parameter exists for future compatibility.
  • Removed tracing_utils_py2.py. The start_child_span_decorator is now in sentry_sdk.tracing_utils.
  • Removed the sentry_sdk.profiler.Scheduler.stop_profiling method. Any calls to this method can simply be removed, since this was a no-op method.
Deprecated

do something


After:

```python
import sentry_sdk

with sentry_sdk.start_span(...):

### do something
  • Hub cloning is deprecated.

    Before:

    with Hub(Hub.current) as hub:

do something with the cloned hub


After:

```python
import sentry_sdk

with sentry_sdk.isolation_scope() as scope:

### do something with the forked scope
  • configure_scope is deprecated. Use the new isolation scope directly via get_isolation_scope() instead.

    Before:

    with configure_scope() as scope:

do something with scope


After:

```python
from sentry_sdk import get_isolation_scope

scope = get_isolation_scope()

v1.45.1

Compare Source

This is a security backport release.

v1.45.0

Compare Source

This is the final 1.x release for the forseeable future. Development will continue on the 2.x release line. The first 2.x version will be available in the next few weeks.

Various fixes & improvements
  • Allow to upsert monitors (#​2929) by @​sentrivana

    It's now possible to provide monitor_config to the monitor decorator/context manager directly:

    from sentry_sdk.crons import monitor

v1.44.1

Compare Source

Various fixes & improvements
  • Make monitor async friendly (#​2912) by @​sentrivana

    You can now decorate your async functions with the monitor
    decorator and they will correctly report their duration
    and completion status.

  • Fixed Event | None runtime TypeError (#​2928) by @​szokeasaurusrex

v1.44.0

Compare Source

Various fixes & improvements

v1.43.0

Compare Source

Various fixes & improvements
  • Add optional keep_alive (#​2842) by @​sentrivana

    If you're experiencing frequent network issues between the SDK and Sentry,
    you can try turning on TCP keep-alive:

    import sentry_sdk
    
    sentry_sdk.init(

...your usual settings...

  keep_alive=True,

)


- Add support for Celery Redbeat cron tasks (#&#8203;2643) by @&#8203;kwigley

The SDK now supports the Redbeat scheduler in addition to the default
Celery Beat scheduler for auto instrumenting crons. See
[the docs](https://docs.sentry.io/platforms/python/integrations/celery/crons/)
for more information about how to set this up.

- `aws_event` can be an empty list (#&#8203;2849) by @&#8203;sentrivana
- Re-export `Event` in `types.py` (#&#8203;2829) by @&#8203;szokeasaurusrex
- Small API docs improvement (#&#8203;2828) by @&#8203;antonpirker
- Fixed OpenAI tests (#&#8203;2834) by @&#8203;antonpirker
- Bump `checkouts/data-schemas` from `ed078ed` to `8232f17` (#&#8203;2832) by @&#8203;dependabot

v1.42.0

Compare Source

Various fixes & improvements
  • New integration: OpenAI integration (#​2791) by @​colin-sentry

    We added an integration for OpenAI to capture errors and also performance data when using the OpenAI Python SDK.

    Useage:

    This integrations is auto-enabling, so if you have the openai package in your project it will be enabled. Just initialize Sentry before you create your OpenAI client.

    from openai import OpenAI
    
    import sentry_sdk
    
    sentry_sdk.init(
        dsn="___PUBLIC_DSN___",
        enable_tracing=True,
        traces_sample_rate=1.0,
    )
    
    client = OpenAI()

    For more information, see the documentation for OpenAI integration.

  • Discard open OpenTelemetry spans after 10 minutes (#​2801) by @​antonpirker

  • Propagate sentry-trace and baggage headers to Huey tasks (#​2792) by @​cnschn

  • Added Event type (#​2753) by @​szokeasaurusrex

  • Improve scrub_dict typing (#​2768) by @​szokeasaurusrex

  • Dependencies: bump types-protobuf from 4.24.0.20240302 to 4.24.0.20240311 (#​2797) by @​dependabot

v1.41.0

Compare Source

Various fixes & improvements
  • Add recursive scrubbing to EventScrubber (#​2755) by @​Cheapshot003

    By default, the EventScrubber will not search your events for potential
    PII recursively. With this release, you can enable this behavior with:

    import sentry_sdk
    from sentry_sdk.scrubber import EventScrubber
    
    sentry_sdk.init(

...your usual settings...

  event_scrubber=EventScrubber(recursive=True),

)


- Expose `socket_options` (#&#8203;2786) by @&#8203;sentrivana

If the SDK is experiencing connection issues (connection resets, server
closing connection without response, etc.) while sending events to Sentry,
tweaking the default `urllib3` socket options to the following can help:

```python
import socket
from urllib3.connection import HTTPConnection
import sentry_sdk

sentry_sdk.init(

### ...your usual settings...
    socket_options=HTTPConnection.default_socket_options + [
        (socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1),

### note: skip the following line if you're on MacOS since TCP_KEEPIDLE doesn't exist there
        (socket.SOL_TCP, socket.TCP_KEEPIDLE, 45),
        (socket.SOL_TCP, socket.TCP_KEEPINTVL, 10),
        (socket.SOL_TCP, socket.TCP_KEEPCNT, 6),
    ],
)

v1.40.6

Compare Source

Various fixes & improvements

v1.40.5

Compare Source

Various fixes & improvements
  • Deprecate last_event_id(). (#​2749) by @​antonpirker

  • Warn if uWSGI is set up without proper thread support (#​2738) by @​sentrivana

    uWSGI has to be run in threaded mode for the SDK to run properly. If this is
    not the case, the consequences could range from features not working unexpectedly
    to uWSGI workers crashing.

    Please make sure to run uWSGI with both --enable-threads and --py-call-uwsgi-fork-hooks.

  • parsed_url can be None (#​2734) by @​sentrivana

  • Python 3.7 is not supported anymore by Lambda, so removed it and added 3.12 (#​2729) by @​antonpirker

v1.40.4

Compare Source

Various fixes & improvements

v1.40.3

Compare Source

Various fixes & improvements

v1.40.2

Compare Source

Various fixes & improvements

v1.40.1

Compare Source

Various fixes & improvements

v1.40.0

Compare Source

Various fixes & improvements

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch 7 times, most recently from e8a1a86 to 1acf72d Compare May 10, 2024 12:46
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch 2 times, most recently from 59dad48 to 6ac4fd2 Compare June 10, 2024 13:11
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch from 6ac4fd2 to e52c18c Compare July 5, 2024 10:41
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch 4 times, most recently from fc496fc to 2d3a08c Compare July 19, 2024 12:05
@renovate renovate bot changed the title Update dependency sentry-sdk to v1 [SECURITY] Update dependency sentry-sdk to v2 [SECURITY] Jul 19, 2024
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch 3 times, most recently from c6ebc28 to 1fe5a2e Compare July 26, 2024 19:04
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch 6 times, most recently from df1bd77 to 565740d Compare August 1, 2024 10:32
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch 2 times, most recently from 63e60d4 to ea30efb Compare August 9, 2024 14:43
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch from ea30efb to 67aee11 Compare August 20, 2024 09:53
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch 3 times, most recently from c888777 to 4615af2 Compare September 6, 2024 10:27
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch 4 times, most recently from d9b6bb9 to 19e5429 Compare September 11, 2024 13:31
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch 6 times, most recently from 5378720 to 51aea1e Compare September 23, 2024 13:35
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch 3 times, most recently from 8de73ad to f81e154 Compare October 17, 2024 12:19
@renovate renovate bot force-pushed the renovate/pypi-sentry-sdk-vulnerability branch from f81e154 to 5ee0ac4 Compare October 17, 2024 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants