Skip to content

ref(integrations): route HTTP header filtering through data collection config#6788

Open
ericapisani wants to merge 18 commits into
masterfrom
py-2584-update-wsgi-filter-headers
Open

ref(integrations): route HTTP header filtering through data collection config#6788
ericapisani wants to merge 18 commits into
masterfrom
py-2584-update-wsgi-filter-headers

Conversation

@ericapisani

@ericapisani ericapisani commented Jul 8, 2026

Copy link
Copy Markdown
Member

_filter_headers follows the legacy send_default_pii/use_annotated_value behaviour when the data collection behaviour is not enabled in _experiments.

When data collection is enabled, it now delegates to _apply_key_value_collection_filtering from sentry_sdk.data_collection, so header scrubbing respects the new data_collection.http_headers.request allowlist/denylist/off configuration when data collection.

Work to scrub cookies in a more granular way will be tackled as part of PY-2581/#6741.

Fixes PY-2584
Fixes #6744

…n config

`_filter_headers` previously used a hardcoded sensitive-header tuple and a
`send_default_pii`/`use_annotated_value` toggle. It now delegates to
`_apply_key_value_collection_filtering` from `sentry_sdk.data_collection`,
so header scrubbing respects the new `data_collection.http_headers.request`
allowlist/denylist/off configuration.

Cookie and set-cookie headers are
always redacted regardless of mode. Drops the now-unused
`use_annotated_value` parameter from all call sites.

Work to scrub cookies in a more granular way will be tackled as part of
PY-2581/#6741.

Fixes PY-2584
Fixes #6744
@linear-code

linear-code Bot commented Jul 8, 2026

Copy link
Copy Markdown

PY-2584

PY-2581

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Codecov Results 📊

91448 passed | ❌ 1 failed | ⏭️ 6301 skipped | Total: 97750 | Pass Rate: 93.55% | Execution Time: 313m 53s

📊 Comparison with Base Branch

Metric Change
Total Tests 📈 +263
Passed Tests 📈 +263
Failed Tests 📈 +1
Skipped Tests 📉 -1

✅ Patch coverage is 100.00%. Project has 2437 uncovered lines.
✅ Project coverage is 89.82%. Comparing base (base) to head (head).

Files with missing lines (1)
File Patch % Lines
sentry_sdk/data_collection.py 100.00% ⚠️ 1 partials
Coverage diff
@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    89.80%    89.82%    +0.02%
==========================================
  Files          193       193         —
  Lines        23898     23939       +41
  Branches      8258      8288       +30
==========================================
+ Hits         21461     21502       +41
- Misses        2437      2437         —
- Partials      1353      1354        +1

Generated by Codecov Action

Comment thread sentry_sdk/data_collection.py
Comment thread sentry_sdk/integrations/_wsgi_common.py
…ures

The new lambda_functions_with_embedded_sdk fixture directories were
missing the .gitignore that the other fixtures use to keep everything
except index.py untracked. As a result, certifi and urllib3 packages
installed by the test setup got committed, and ruff failed CI linting
against them since they're unmodified third-party code.

Add the missing .gitignore to each new fixture directory and remove
the committed vendored packages; they are regenerated automatically at
test time via `uv pip install --target`.
Comment on lines +118 to +122
headers = _get_headers(asgi_scope)

request_data["headers"] = _filter_headers(
headers,
use_annotated_value=False,

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change was done because when if the headers are filtered with "allowlist" and no terms are provided, and the "host" header is present, then the constructed URL in _get_url below would contain [Filtered] within the URL.

Doing this ensures that it gets filtered from the headers to respect data collection, but still correctly appears in the url

@ericapisani ericapisani marked this pull request as ready for review July 9, 2026 22:48
@ericapisani ericapisani requested a review from a team as a code owner July 9, 2026 22:48
…n config

`_filter_headers` previously used a hardcoded sensitive-header tuple and a
`send_default_pii`/`use_annotated_value` toggle. It now delegates to
`_apply_key_value_collection_filtering` from `sentry_sdk.data_collection`,
so header scrubbing respects the new `data_collection.http_headers.request`
allowlist/denylist/off configuration.

Cookie and set-cookie headers are
always redacted regardless of mode. Drops the now-unused
`use_annotated_value` parameter from all call sites.

Work to scrub cookies in a more granular way will be tackled as part of
PY-2581/#6741.

Fixes PY-2584
Fixes #6744
…ures

The new lambda_functions_with_embedded_sdk fixture directories were
missing the .gitignore that the other fixtures use to keep everything
except index.py untracked. As a result, certifi and urllib3 packages
installed by the test setup got committed, and ruff failed CI linting
against them since they're unmodified third-party code.

Add the missing .gitignore to each new fixture directory and remove
the committed vendored packages; they are regenerated automatically at
test time via `uv pip install --target`.
@ericapisani ericapisani force-pushed the py-2584-update-wsgi-filter-headers branch from 951c408 to d717172 Compare July 14, 2026 17:43
…ntry/sentry-python into py-2584-update-wsgi-filter-headers
Comment on lines +100 to +110

def _apply_key_value_collection_filtering(
items: "Mapping[str, Any]",
behaviour: "KeyValueCollectionBehaviour",
substitute: "Any" = SENSITIVE_DATA_SUBSTITUTE,
) -> "Dict[str, Any]":

if behaviour["mode"] == "off":
return {}

result: "Dict[str, Any]" = {}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The new _experiments.data_collection feature with default settings fails to redact IP address headers like X-Forwarded-For, causing a PII leak.
Severity: HIGH

Suggested Fix

Update the logic for the new data collection feature to include the IP-related deny terms that were part of the legacy send_default_pii=False behavior. Specifically, terms like "forwarded", "-ip", "remote-", "via", and "-user" should be added to the default denylist used by _http_headers_from_value to ensure IP headers are properly redacted.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: sentry_sdk/data_collection.py#L100-L110

Potential issue: When the new `_experiments.data_collection` feature is enabled, even
with default settings, it fails to filter IP-related PII headers like `X-Forwarded-For`
and `X-Real-IP`. This is a regression from the previous behavior. The legacy path used a
`SENSITIVE_HEADERS` list that included IP-related terms, ensuring they were redacted.
The new implementation uses a `_SENSITIVE_DENYLIST` which omits these terms. As a
result, when `_http_headers_from_value` is called for the new feature, it doesn't apply
the necessary filtering, causing IP addresses to be sent to Sentry unfiltered.

Also affects:

  • sentry_sdk/integrations/_wsgi_common.py:212~224

Did we get this right? 👍 / 👎 to inform future reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Update _filter_headers to check data collection settings when available

1 participant