Skip to content
This repository has been archived by the owner on May 12, 2023. It is now read-only.

Update dependency sentry-sdk to v1 [SECURITY] #50

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 24, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sentry-sdk (changelog) ^0.20.0 -> ^1.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-28117

Impact

When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.

The below must be true in order for these sensitive values to be leaked:

  1. Your Sentry SDK configuration has sendDefaultPII set to True
  2. You are using a custom name for either of the cookies below in your Django settings.
  1. You are not configured in your organization or project settings to use our data scrubbing features to account for the custom cookie names

Patches

As of version 1.14.0, the Django integration of the sentry-sdk will detect the custom cookie names based on your Django settings and will remove the values from the payload before sending the data to Sentry.

Workarounds

If you can not update your sentry-sdk to a patched version than you can use the SDKs filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events this can be done with the before_send callback method and for performance related events (transactions) you can use the before_send_transaction callback method.

If you'd like to handle filtering of these values on the server-side, you can also use our advanced data scrubbing feature to account for the custom cookie names. Look for the $http.cookies, $http.headers, $request.cookies, or $request.headers fields to target with your scrubbing rule.

References

Credits


Release Notes

getsentry/sentry-python

v1.14.0

Compare Source

Various fixes & improvements
  • Add before_send_transaction (#​1840) by @​antonpirker

    Adds a hook (similar to before_send) that is called for all transaction events (performance releated data).

    Usage:

      import sentry_sdk
    
      def strip_sensitive_data(event, hint):

modify event here (or return None if you want to drop the event entirely)

    return event

sentry_sdk.init(

...

    before_send_transaction=strip_sensitive_data,
)

See also: https://docs.sentry.io/platforms/python/configuration/filtering/#using-platformidentifier-namebefore-send-transaction-

- Django: Always remove values of Django session related cookies. (#​1842) by @​antonpirker
- Profiling: Enable profiling for ASGI frameworks (#​1824) by @​Zylphrex
- Profiling: Better gevent support (#​1822) by @​Zylphrex
- Profiling: Add profile context to transaction (#​1860) by @​Zylphrex
- Profiling: Use co_qualname in python 3.11 (#​1831) by @​Zylphrex
- OpenTelemetry: fix Use dict for sentry-trace context instead of tuple (#​1847) by @​AbhiPrasad
- OpenTelemetry: fix extra dependency (#​1825) by @​bernardotorres
- OpenTelemetry: fix NoOpSpan updates scope (#​1834) by @​Zylphrex
- OpenTelemetry: Make sure to noop when there is no DSN (#​1852) by @​antonpirker
- FastAPI: Fix middleware being patched multiple times (#​1841) by @​JohnnyDeuss
- Starlette: Avoid import of pkg_resource with Starlette integration (#​1836) by @​mgu
- Removed code coverage target (#​1862) by @​antonpirker

v1.13.0

Compare Source

Various fixes & improvements

v1.12.1

Compare Source

Various fixes & improvements

v1.12.0

Compare Source

Basic OTel support

This adds support to automatically integrate OpenTelemetry performance tracing with Sentry.

See the documentation on how to set it up:
https://docs.sentry.io/platforms/python/performance/instrumentation/opentelemetry/

Give it a try and let us know if you have any feedback or problems with using it.

By: @​antonpirker (#​1772, #​1766, #​1765)

Various fixes & improvements

v1.11.1

Compare Source

Various fixes & improvements

v1.11.0

Compare Source

Various fixes & improvements

v1.10.1

Compare Source

Various fixes & improvements

v1.10.0

Compare Source

Various fixes & improvements

v1.9.10

Compare Source

Various fixes & improvements

v1.9.9

Compare Source

Django update (ongoing)
  • Instrument Django Signals so they show up in "Performance" view (#​1526) by @​BeryJu
  • include other Django enhancements brought up by the community
Various fixes & improvements

v1.9.8

Compare Source

Various fixes & improvements
  • Baggage creation for head of trace (#​1589) by @​sl0thentr0py
    • The SDK now also generates new baggage entries for dynamic sampling when it is the first (head) SDK in the pipeline.

v1.9.7

Compare Source

Various fixes & improvements

Note: The last version 1.9.6 introduced a breaking change where projects that used Starlette or FastAPI
and had manually setup SentryAsgiMiddleware could not start. This versions fixes this behaviour.
With this version if you have a manual SentryAsgiMiddleware setup and are using Starlette or FastAPI
everything just works out of the box.

Sorry for any inconveniences the last version might have brought to you.

We can do better and in the future we will do our best to not break your code again.

v1.9.6

Compare Source

Various fixes & improvements

v1.9.5

Compare Source

Various fixes & improvements

v1.9.4

Compare Source

Various fixes & improvements

v1.9.3

Compare Source

Various fixes & improvements

v1.9.2

Compare Source

Various fixes & improvements

v1.9.1

Compare Source

Various fixes & improvements

v1.9.0

Compare Source

Various fixes & improvements

v1.8.0

Compare Source

Various fixes & improvements
  • feat(starlette): add Starlette integration (#​1441) by @​sl0thentr0py
    Important: Remove manual usage of SentryAsgiMiddleware! This is now done by the Starlette integration.
    Usage:

    from starlette.applications import Starlette
    
    from sentry_sdk.integrations.starlette import StarletteIntegration
    
    sentry_sdk.init(
        dsn="...",
        integrations=[StarletteIntegration()],
    )
    
    app = Starlette(debug=True, routes=[...])
  • feat(fastapi): add FastAPI integration (#​829) by @​antonpirker

    Important: Remove manual usage of SentryAsgiMiddleware! This is now done by the FastAPI integration.

    Usage:

    from fastapi import FastAPI
    
    from sentry_sdk.integrations.starlette import StarletteIntegration
    from sentry_sdk.integrations.fastapi import FastApiIntegration
    
    sentry_sdk.init(
        dsn="...",
        integrations=[StarletteIntegration(), FastApiIntegration()],
    )
    
    app = FastAPI()

    Yes, you have to add both, the StarletteIntegration AND the FastApiIntegration!

  • fix: avoid sending empty Baggage header (#​1507) by @​intgr

  • fix: properly freeze Baggage object (#​1508) by @​intgr

  • docs: fix simple typo, collecter | collector (#​1505) by @​timgates42

v1.7.2

Compare Source

Various fixes & improvements

v1.7.1

Compare Source

Various fixes & improvements

v1.7.0

Compare Source

Various fixes & improvements
  • feat(tracing): Dynamic Sampling Context / Baggage continuation (#​1485) by @​sl0thentr0py

    The SDK now propagates the W3C Baggage Header from
    incoming transactions to outgoing requests.
    It also extracts Sentry specific sampling information
    and adds it to the transaction headers to enable Dynamic Sampling in the product.

v1.6.0

Compare Source

Various fixes & improvements

v1.5.12

Compare Source

Various fixes & improvements

v1.5.11

Compare Source

Various fixes & improvements

v1.5.10

Compare Source

Various fixes & improvements

v1.5.9

Compare Source

Various fixes & improvements

v1.5.8

Compare Source

Various fixes & improvements

v1.5.7

Compare Source

Various fixes & improvements

v1.5.6

Compare Source

Various fixes & improvements

v1.5.5

Compare Source

  • Add session tracking to ASGI integration (#​1329)
  • Pinning test requirements versions (#​1330)
  • Allow classes to short circuit serializer with sentry_repr (#​1322)
  • Set default on json.dumps in compute_tracestate_value to ensure string conversion (#​1318)

Work in this release contributed by @​tomchuk. Thank you for your contribution!

v1.5.4

Compare Source

  • Add Python 3.10 to test suite (#​1309)
  • Capture only 5xx HTTP errors in Falcon Integration (#​1314)
  • Attempt custom urlconf resolve in got_request_exception as well (#​1317)

v1.5.3

Compare Source

  • Pick up custom urlconf set by Django middlewares from request if any (#​1308)

v1.5.2

Compare Source

Work in this release contributed by @​johnzeringue, @​pgjones and @​ahopkins. Thank you for your contribution!

v1.5.1

Compare Source

Various fixes & improvements

v1.5.0

Compare Source

  • Also record client outcomes for before send #​1211
  • Add support for implicitly sized envelope items #​1229
  • Fix integration with Apache Beam 2.32, 2.33 #​1233
  • Remove Python 2.7 support for AWS Lambda layers in craft config #​1241
  • Refactor Sanic integration for v21.9 support #​1212
  • AWS Lambda Python 3.9 runtime support #​1239
  • Fix "shutdown_timeout" typing #​1256

Work in this release contributed by @​galuszkak, @​kianmeng, @​ahopkins, @​razumeiko, @​tomscytale, and @​seedofjoy. Thank you for your contribution!

v1.4.3

Compare Source

  • Turned client reports on by default.

v1.4.2

Compare Source

  • Made envelope modifications in the HTTP transport non observable #​1206

v1.4.1

Compare Source

  • Fix race condition between finish and start_child in tracing #​1203

v1.4.0

Compare Source

  • No longer set the last event id for transactions #​1186
  • Added support for client reports (disabled by default for now) #​1181
  • Added tracestate header handling #​1179
  • Added real ip detection to asgi integration #​1199

v1.3.1

Compare Source

  • Fix detection of contextvars compatibility with Gevent versions >=20.9.0 #​1157

v1.3.0

Compare Source

  • Add support for Sanic versions 20 and 21 #​1146

v1.2.0

Compare Source

  • Fix for AWSLambda Integration to handle other path formats for function initial handler #​1139
  • Fix for worker to set daemon attribute instead of deprecated setDaemon method #​1093
  • Fix for bottle Integration that discards -dev for version extraction #​1085
  • Fix for transport that adds a unified hook for capturing metrics about dropped events #​1100
  • Add Httpx Integration #​1119
  • Add support for china domains in AWSLambda Integration #​1051

v1.1.0

Compare Source

  • Fix for AWSLambda integration returns value of original handler #​1106
  • Fix for RQ integration that only captures exception if RQ job has failed and ignore retries #​1076
  • Feature that supports Tracing for the Tornado integration #​1060
  • Feature that supports wild cards in ignore_logger in the Logging Integration #​1053
  • Fix for django that deals with template span description names that are either lists or tuples #​1054

v1.0.0

Compare Source

This release contains a breaking change

  • BREAKING CHANGE: Feat: Moved auto_session_tracking experimental flag to a proper option and removed explicitly setting experimental session_mode in favor of auto detecting its value, hence enabling release health by default #​994
  • Fixed Django transaction name by setting the name to request.path_info rather than request.path
  • Fix for tracing by getting HTTP headers from span rather than transaction when possible #​1035
  • Fix for Flask transactions missing request body in non errored transactions #​1034
  • Fix for honoring the X-Forwarded-For header #​1037
  • Fix for worker that logs data dropping of events with level error #​1032

v0.20.3

Compare Source

  • Added scripts to support auto instrumentation of no code AWS lambda Python functions

v0.20.2

Compare Source

  • Fix incorrect regex in craft to include wheel file in pypi release

v0.20.1

Compare Source

  • Fix for error that occurs with Async Middlewares when the middleware is a function rather than a class

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants