Update dependency sentry-sdk to v2 [SECURITY] #163
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.10.2
->2.8.0
GitHub Vulnerability Alerts
CVE-2023-28117
Impact
When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.
The below must be true in order for these sensitive values to be leaked:
sendDefaultPII
set toTrue
SESSION_COOKIE_NAME
orCSRF_COOKIE_NAME
Django settingsPatches
As of version
1.14.0
, the Django integration of thesentry-sdk
will detect the custom cookie names based on your Django settings and will remove the values from the payload before sending the data to Sentry.Workarounds
If you can not update your
sentry-sdk
to a patched version than you can use the SDKs filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events this can be done with the before_send callback method and for performance related events (transactions) you can use the before_send_transaction callback method.If you'd like to handle filtering of these values on the server-side, you can also use our advanced data scrubbing feature to account for the custom cookie names. Look for the
$http.cookies
,$http.headers
,$request.cookies
, or$request.headers
fields to target with your scrubbing rule.References
Credits
CVE-2024-40647
Impact
The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the
env={}
setting.Details
In Python's
subprocess
calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may useenv
argument insubprocess
calls, like in this example:If you'd want to not pass any variables, you can set an empty dict:
However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when
env={}
is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.Patches
The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:
env={}
with the minimal dictenv={"EMPTY_ENV":"1"}
or similar.OR
References
Release Notes
getsentry/sentry-python (sentry-sdk)
v2.8.0
Compare Source
Various fixes & improvements
profiler_id
uses underscore (#3249) by @ZylphrexHub
inHttpTransport
(#3247) by @szokeasaurusrexipdb
from test requirements (#3237) by @rominfSentryPropagator
(#3086) by @mender8c13457
to88273a9
(#3225) by @dependabotv2.7.1
Compare Source
Various fixes & improvements
v2.7.0
Compare Source
origin
to spans and transactions (#3133) by @antonpirkerdb.query
todb
(#3186) by @0Caloriesv2.6.0
Compare Source
59f9683
to8c13457
(#3146) by @dependabotv2.5.1
Compare Source
This change fixes a regression in our cron monitoring feature, which caused cron checkins not to be sent. The regression appears to have been introduced in version 2.4.0.
We recommend that all users, who use Cron monitoring and are currently running sentry-python ≥2.4.0, upgrade to this release as soon as possible!
Other fixes & improvements
last_event_id
cleared (#3124) by @szokeasaurusrexv2.5.0
Compare Source
Various fixes & improvements
Allow to configure status codes to report to Sentry in Starlette and FastAPI (#3008) by @sentrivana
By passing a new option to the FastAPI and Starlette integrations, you're now able to configure what
status codes should be sent as events to Sentry. Here's how it works:
...
)
v2.4.0
Compare Source
Various fixes & improvements
cache.key
span data field a list (#3110) by @antonpirkerlast_event_id
from migration guide (#3126) by @szokeasaurusrex_last_event_id
inScope.__copy__
(#3123) by @szokeasaurusrex4381a97
to59f9683
(#3066) by @dependabotv2.3.1
Compare Source
Various fixes & improvements
v2.3.0
Compare Source
Various fixes & improvements
cohere
testsuite for new release ofcohere
(#3098) by @antonpirker_sentry_span
might be missing (#3096) by @sentrivanav2.2.1
Compare Source
Various fixes & improvements
v2.2.0
Compare Source
New features
last_event_id
function, which had been removed in 2.0.0Other fixes & improvements
get_client
typing (#3063) by @szokeasaurusrexMeasurementValue.unit
NotRequired (#3051) by @antonpirkerv2.1.1
Compare Source
v2.1.0
Compare Source
fix(quart): Fix Quart integration (#3043) by @szokeasaurusrex
New integration: Langchain (#2911) by @colin-sentry
Usage: (Langchain is auto enabling, so you do not need to do anything special)
Check out the LangChain docs for details.
New integration: Anthropic (#2831) by @czyber
Usage: (add the AnthropicIntegration to your
sentry_sdk.init()
call)Check out the Anthropic docs for details.
New integration: Huggingface Hub (#3033) by @colin-sentry
Usage: (Huggingface Hub is auto enabling, so you do not need to do anything special)
Check out the Huggingface docs for details. (comming soon!)
fix(huggingface): Reduce API cross-section for huggingface in test (#3042) by @colin-sentry
fix(django): Fix Django ASGI integration on Python 3.12 (#3027) by @bellini666
feat(perf): Add ability to put measurements directly on spans. (#2967) by @colin-sentry
fix(tests): Fix trytond tests (#3031) by @sentrivana
fix(tests): Update
pytest-asyncio
to fix CI (#3030) by @sentrivanafix(docs): Link to respective migration guides directly (#3020) by @sentrivana
docs(scope): Add docstring to
Scope.set_tags
(#2978) by @szokeasaurusrextest(scope): Fix typos in assert error message (#2978) by @szokeasaurusrex
feat(scope): New
set_tags
function (#2978) by @szokeasaurusrextest(scope): Add unit test for
Scope.set_tags
(#2978) by @szokeasaurusrexfeat(scope): Add
set_tags
to top-level API (#2978) by @szokeasaurusrextest(scope): Add unit test for top-level API
set_tags
(#2978) by @szokeasaurusrexfeat(tests): Parallelize tox (#3025) by @sentrivana
build(deps): Bump checkouts/data-schemas from
4aa14a7
to4381a97
(#3028) by @dependabotmeta(license): Bump copyright year (#3029) by @szokeasaurusrex
v2.0.1
Compare Source
Various fixes & improvements
pid
for test database name in Django tests (#2998) by @antonpirker1e17eb5
to4aa14a7
(#2997) by @dependabotv2.0.0
Compare Source
This is the first major update in a long time!
We dropped support for some ancient languages and frameworks (Yes, Python 2.7 is no longer supported). Additionally we refactored a big part of the foundation of the SDK (how data inside the SDK is handled).
We hope you like it!
For a shorter version of what you need to do, to upgrade to Sentry SDK 2.0 see: https://docs.sentry.io/platforms/python/migration/1.x-to-2.x
New Features
new_scope
,isolation_scope
. See the Deprecated section to see how they map to the existing APIs.Changed
(These changes are all backwards-incompatible. Breaking Change (if you are just skimming for that phrase))
authenticated_userid()
in a customAuthenticationPolicy
class.need_code_loation
of theMetricsAggregator
was renamed toneed_code_location
.BackgroundWorker
thread used to process events was renamed fromraven-sentry.BackgroundWorker
tosentry-sdk.BackgroundWorker
.reraise
function was moved fromsentry_sdk._compat
tosentry_sdk.utils
._ScopeManager
was moved fromsentry_sdk.hub
tosentry_sdk.scope
.tracing_utils_py3.py
totracing_utils.py
. Thestart_child_span_decorator
is now insentry_sdk.tracing_utils
.get_current_span
was moved tosentry_sdk.tracing_utils
.sentry_sdk.get_current_span
is still accessible as part of the top-level API.sentry_sdk.tracing_utils.add_query_source()
: Removed thehub
parameter. It is not necessary anymore.sentry_sdk.tracing_utils.record_sql_queries()
: Removed thehub
parameter. It is not necessary anymore.sentry_sdk.tracing_utils.get_current_span()
does now take ascope
instead of ahub
as parameter.sentry_sdk.tracing_utils.should_propagate_trace()
now takes aClient
instead of aHub
as first parameter.sentry_sdk.utils.is_sentry_url()
now takes aClient
instead of aHub
as first parameter.sentry_sdk.utils._get_contextvars
does not return a tuple with three values, but a tuple with two values. Thecopy_context
was removed.configure_scope
block this does not work anymore. Here is a recipe on how to change your code to make it work:Your existing implementation:
later in the code execution:
later in the code execution:
The classes listed in the table below are now abstract base classes. Therefore, they can no longer be instantiated. Subclasses can only be instantiated if they implement all of the abstract methods.
Show table
sentry_sdk.integrations.Integration
setup_once
sentry_sdk.metrics.Metric
add
,serialize_value
, andweight
sentry_sdk.profiler.Scheduler
setup
andteardown
sentry_sdk.transport.Transport
capture_envelope
Removed
(These changes are all backwards-incompatible. Breaking Change (if you are just skimming for that phrase))
last_event_id()
top level API. The last event ID is still returned bycapture_event()
,capture_exception()
andcapture_message()
but the top level APIsentry_sdk.last_event_id()
has been removed./store
endpoint. Everything is now sent to the/envelope
endpoint. If you're on SaaS you don't have to worry about this, but if you're running Sentry yourself you'll need version20.6.0
or higher of self-hosted Sentry.with_locals
configuration option was removed. Useinclude_local_variables
instead. See https://docs.sentry.io/platforms/python/configuration/options/#include-local-variables.request_bodies
configuration option was removed. Usemax_request_body_size
. See https://docs.sentry.io/platforms/python/configuration/options/#max-request-body-size.user.segment
. It was also removed from the trace header as well as from the dynamic sampling context.install
method for custom integrations. Please usesetup_once
instead.sentry_sdk.tracing.Span.new_span
. Usesentry_sdk.tracing.Span.start_child
instead.sentry_sdk.tracing.Transaction.new_span
. Usesentry_sdk.tracing.Transaction.start_child
instead.sentry_sdk.tracing.Span(transaction=...)
. To create a transaction, please usesentry_sdk.tracing.Transaction(name=...)
.sentry_sdk.utils.Auth.store_api_url
.sentry_sdk.utils.Auth.get_api_url
's now accepts asentry_sdk.consts.EndpointType
enum instead of a string as its only parameter. We recommend omitting this argument when calling the function, since the parameter's default value is the only possiblesentry_sdk.consts.EndpointType
value. The parameter exists for future compatibility.tracing_utils_py2.py
. Thestart_child_span_decorator
is now insentry_sdk.tracing_utils
.sentry_sdk.profiler.Scheduler.stop_profiling
method. Any calls to this method can simply be removed, since this was a no-op method.Deprecated
Using the
Hub
directly as well as using hub-based APIs has been deprecated. Where available, use the top-level API instead; otherwise use the scope API or the client API.Before:
do something
Hub cloning is deprecated.
Before:
do something with the cloned hub
configure_scope
is deprecated. Use the new isolation scope directly viaget_isolation_scope()
instead.Before:
do something with
scope
v1.45.1
Compare Source
This is a security backport release.
Don't send full env to subprocess (
892dd80
) by @kmichel-aivenSee also GHSA-g92j-qhmh-64v2
v1.45.0
Compare Source
This is the final 1.x release for the forseeable future. Development will continue on the 2.x release line. The first 2.x version will be available in the next few weeks.
Various fixes & improvements
Allow to upsert monitors (#2929) by @sentrivana
It's now possible to provide
monitor_config
to themonitor
decorator/context manager directly:v1.44.1
Compare Source
Various fixes & improvements
Make
monitor
async friendly (#2912) by @sentrivanaYou can now decorate your async functions with the
monitor
decorator and they will correctly report their duration
and completion status.
Fixed
Event | None
runtimeTypeError
(#2928) by @szokeasaurusrexv1.44.0
Compare Source
Various fixes & improvements
v1.43.0
Compare Source
Various fixes & improvements
Add optional
keep_alive
(#2842) by @sentrivanaIf you're experiencing frequent network issues between the SDK and Sentry,
you can try turning on TCP keep-alive:
...your usual settings...
)
v1.42.0
Compare Source
Various fixes & improvements
New integration: OpenAI integration (#2791) by @colin-sentry
We added an integration for OpenAI to capture errors and also performance data when using the OpenAI Python SDK.
Useage:
This integrations is auto-enabling, so if you have the
openai
package in your project it will be enabled. Just initialize Sentry before you create your OpenAI client.For more information, see the documentation for OpenAI integration.
Discard open OpenTelemetry spans after 10 minutes (#2801) by @antonpirker
Propagate sentry-trace and baggage headers to Huey tasks (#2792) by @cnschn
Added Event type (#2753) by @szokeasaurusrex
Improve scrub_dict typing (#2768) by @szokeasaurusrex
Dependencies: bump types-protobuf from 4.24.0.20240302 to 4.24.0.20240311 (#2797) by @dependabot
v1.41.0
Compare Source
Various fixes & improvements
Add recursive scrubbing to
EventScrubber
(#2755) by @Cheapshot003By default, the
EventScrubber
will not search your events for potentialPII recursively. With this release, you can enable this behavior with:
...your usual settings...
)
scrub_list
(#2769) by @szokeasaurusrextypes-protobuf
from 4.24.0.20240129 to 4.24.0.20240302 (#2782) by @dependabotcheckouts/data-schemas
fromeb941c2
toed078ed
(#2781) by @dependabotv1.40.6
Compare Source
Various fixes & improvements
greenlet
/gevent
(#2756) by @sentrivanaclickhouse-driver==0.2.7
(#2752) by @sentrivanacheckouts/data-schemas
from6121fd3
toeb941c2
(#2747) by @dependabotv1.40.5
Compare Source
Various fixes & improvements
Deprecate
last_event_id()
. (#2749) by @antonpirkerWarn if uWSGI is set up without proper thread support (#2738) by @sentrivana
uWSGI has to be run in threaded mode for the SDK to run properly. If this is
not the case, the consequences could range from features not working unexpectedly
to uWSGI workers crashing.
Please make sure to run uWSGI with both
--enable-threads
and--py-call-uwsgi-fork-hooks
.parsed_url
can beNone
(#2734) by @sentrivanaPython 3.7 is not supported anymore by Lambda, so removed it and added 3.12 (#2729) by @antonpirker
v1.40.4
Compare Source
Various fixes & improvements
aa7058c
to6121fd3
(#2724) by @dependabotv1.40.3
Compare Source
Various fixes & improvements
v1.40.2
Compare Source
Various fixes & improvements
pytest
error (#2712) by @szokeasaurusrexv1.40.1
Compare Source
Various fixes & improvements
gevent
(#2694) by @sentrivanaengine.url
beingNone
(#2708) by @sentrivanasentry_sdk.utils._generate_installed_modules
(#2703) by @GlenWalkercodecov/codecov-action
from 3 to 4 (#2706) by @dependabotactions/cache
from 3 to 4 (#2661) by @dependabotactions/checkout
from 3.1.0 to 4.1.1 (#2561) by @dependabotgithub/codeql-action
from 2 to 3 (#2603) by @dependabotactions/setup-python
from 4 to 5 (#2577) by @dependabotv1.40.0
Compare Source
Various fixes & improvements
UnicodeDecodeError
on Python 2 ([#2657](https://redirect.github.com/getsentry/sentry-python/iConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.