ref(integrations): route HTTP header filtering through data collection config#6788
ref(integrations): route HTTP header filtering through data collection config#6788ericapisani wants to merge 18 commits into
Conversation
…n config `_filter_headers` previously used a hardcoded sensitive-header tuple and a `send_default_pii`/`use_annotated_value` toggle. It now delegates to `_apply_key_value_collection_filtering` from `sentry_sdk.data_collection`, so header scrubbing respects the new `data_collection.http_headers.request` allowlist/denylist/off configuration. Cookie and set-cookie headers are always redacted regardless of mode. Drops the now-unused `use_annotated_value` parameter from all call sites. Work to scrub cookies in a more granular way will be tackled as part of PY-2581/#6741. Fixes PY-2584 Fixes #6744
Codecov Results 📊✅ 91448 passed | ❌ 1 failed | ⏭️ 6301 skipped | Total: 97750 | Pass Rate: 93.55% | Execution Time: 313m 53s 📊 Comparison with Base Branch
✅ Patch coverage is 100.00%. Project has 2437 uncovered lines. Files with missing lines (1)
Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 89.80% 89.82% +0.02%
==========================================
Files 193 193 —
Lines 23898 23939 +41
Branches 8258 8288 +30
==========================================
+ Hits 21461 21502 +41
- Misses 2437 2437 —
- Partials 1353 1354 +1Generated by Codecov Action |
… _experiments property in the client
…still being needed for the url attribute
…ures The new lambda_functions_with_embedded_sdk fixture directories were missing the .gitignore that the other fixtures use to keep everything except index.py untracked. As a result, certifi and urllib3 packages installed by the test setup got committed, and ruff failed CI linting against them since they're unmodified third-party code. Add the missing .gitignore to each new fixture directory and remove the committed vendored packages; they are regenerated automatically at test time via `uv pip install --target`.
| headers = _get_headers(asgi_scope) | ||
|
|
||
| request_data["headers"] = _filter_headers( | ||
| headers, | ||
| use_annotated_value=False, |
There was a problem hiding this comment.
This change was done because when if the headers are filtered with "allowlist" and no terms are provided, and the "host" header is present, then the constructed URL in _get_url below would contain [Filtered] within the URL.
Doing this ensures that it gets filtered from the headers to respect data collection, but still correctly appears in the url
…n config `_filter_headers` previously used a hardcoded sensitive-header tuple and a `send_default_pii`/`use_annotated_value` toggle. It now delegates to `_apply_key_value_collection_filtering` from `sentry_sdk.data_collection`, so header scrubbing respects the new `data_collection.http_headers.request` allowlist/denylist/off configuration. Cookie and set-cookie headers are always redacted regardless of mode. Drops the now-unused `use_annotated_value` parameter from all call sites. Work to scrub cookies in a more granular way will be tackled as part of PY-2581/#6741. Fixes PY-2584 Fixes #6744
… _experiments property in the client
…still being needed for the url attribute
…ures The new lambda_functions_with_embedded_sdk fixture directories were missing the .gitignore that the other fixtures use to keep everything except index.py untracked. As a result, certifi and urllib3 packages installed by the test setup got committed, and ruff failed CI linting against them since they're unmodified third-party code. Add the missing .gitignore to each new fixture directory and remove the committed vendored packages; they are regenerated automatically at test time via `uv pip install --target`.
951c408 to
d717172
Compare
…ntry/sentry-python into py-2584-update-wsgi-filter-headers
|
|
||
| def _apply_key_value_collection_filtering( | ||
| items: "Mapping[str, Any]", | ||
| behaviour: "KeyValueCollectionBehaviour", | ||
| substitute: "Any" = SENSITIVE_DATA_SUBSTITUTE, | ||
| ) -> "Dict[str, Any]": | ||
|
|
||
| if behaviour["mode"] == "off": | ||
| return {} | ||
|
|
||
| result: "Dict[str, Any]" = {} |
There was a problem hiding this comment.
Bug: The new _experiments.data_collection feature with default settings fails to redact IP address headers like X-Forwarded-For, causing a PII leak.
Severity: HIGH
Suggested Fix
Update the logic for the new data collection feature to include the IP-related deny terms that were part of the legacy send_default_pii=False behavior. Specifically, terms like "forwarded", "-ip", "remote-", "via", and "-user" should be added to the default denylist used by _http_headers_from_value to ensure IP headers are properly redacted.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: sentry_sdk/data_collection.py#L100-L110
Potential issue: When the new `_experiments.data_collection` feature is enabled, even
with default settings, it fails to filter IP-related PII headers like `X-Forwarded-For`
and `X-Real-IP`. This is a regression from the previous behavior. The legacy path used a
`SENSITIVE_HEADERS` list that included IP-related terms, ensuring they were redacted.
The new implementation uses a `_SENSITIVE_DENYLIST` which omits these terms. As a
result, when `_http_headers_from_value` is called for the new feature, it doesn't apply
the necessary filtering, causing IP addresses to be sent to Sentry unfiltered.
Also affects:
sentry_sdk/integrations/_wsgi_common.py:212~224
Did we get this right? 👍 / 👎 to inform future reviews.
_filter_headersfollows the legacysend_default_pii/use_annotated_valuebehaviour when the data collection behaviour is not enabled in_experiments.When data collection is enabled, it now delegates to
_apply_key_value_collection_filteringfromsentry_sdk.data_collection, so header scrubbing respects the newdata_collection.http_headers.requestallowlist/denylist/off configuration when data collection.Work to scrub cookies in a more granular way will be tackled as part of PY-2581/#6741.
Fixes PY-2584
Fixes #6744