Update dependency sentry-sdk to v1.45.1 [SECURITY] #638
  Add this suggestion to a batch that can be applied as a single commit.
  This suggestion is invalid because no changes were made to the code.
  Suggestions cannot be applied while the pull request is closed.
  Suggestions cannot be applied while viewing a subset of changes.
  Only one suggestion per line can be applied in a batch.
  Add this suggestion to a batch that can be applied as a single commit.
  Applying suggestions on deleted lines is not supported.
  You must change the existing code in this line in order to create a valid suggestion.
  Outdated suggestions cannot be applied.
  This suggestion has been applied or marked resolved.
  Suggestions cannot be applied from pending reviews.
  Suggestions cannot be applied on multi-line comments.
  Suggestions cannot be applied while the pull request is queued to merge.
  Suggestion cannot be applied right now. Please check back later.
  
    
  
    
Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.
This PR contains the following updates:
==1.5.0->==1.45.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2023-28117
Impact
When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.
The below must be true in order for these sensitive values to be leaked:
sendDefaultPIIset toTrueSESSION_COOKIE_NAMEorCSRF_COOKIE_NAMEDjango settingsPatches
As of version
1.14.0, the Django integration of thesentry-sdkwill detect the custom cookie names based on your Django settings and will remove the values from the payload before sending the data to Sentry.Workarounds
If you can not update your
sentry-sdkto a patched version than you can use the SDKs filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events this can be done with the before_send callback method and for performance related events (transactions) you can use the before_send_transaction callback method.If you'd like to handle filtering of these values on the server-side, you can also use our advanced data scrubbing feature to account for the custom cookie names. Look for the
$http.cookies,$http.headers,$request.cookies, or$request.headersfields to target with your scrubbing rule.References
Credits
CVE-2024-40647
Impact
The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the
env={}setting.Details
In Python's
subprocesscalls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may useenvargument insubprocesscalls, like in this example:If you'd want to not pass any variables, you can set an empty dict:
However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when
env={}is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.Patches
The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:
env={}with the minimal dictenv={"EMPTY_ENV":"1"}or similar.OR
References
Release Notes
getsentry/sentry-python (sentry-sdk)
v1.45.1Compare Source
This is a security backport release.
Don't send full env to subprocess (
892dd80) by @kmichel-aivenSee also GHSA-g92j-qhmh-64v2
v1.45.0Compare Source
This is the final 1.x release for the forseeable future. Development will continue on the 2.x release line. The first 2.x version will be available in the next few weeks.
Various fixes & improvements
Allow to upsert monitors (#2929) by @sentrivana
It's now possible to provide
monitor_configto themonitordecorator/context manager directly:v1.44.1Compare Source
Various fixes & improvements
Make
monitorasync friendly (#2912) by @sentrivanaYou can now decorate your async functions with the
monitordecorator and they will correctly report their duration
and completion status.
Fixed
Event | NoneruntimeTypeError(#2928) by @szokeasaurusrexv1.44.0Compare Source
Various fixes & improvements
v1.43.0Compare Source
Various fixes & improvements
Add optional
keep_alive(#2842) by @sentrivanaIf you're experiencing frequent network issues between the SDK and Sentry,
you can try turning on TCP keep-alive:
...your usual settings...
)
v1.42.0Compare Source
Various fixes & improvements
New integration: OpenAI integration (#2791) by @colin-sentry
We added an integration for OpenAI to capture errors and also performance data when using the OpenAI Python SDK.
Useage:
This integrations is auto-enabling, so if you have the
openaipackage in your project it will be enabled. Just initialize Sentry before you create your OpenAI client.For more information, see the documentation for OpenAI integration.
Discard open OpenTelemetry spans after 10 minutes (#2801) by @antonpirker
Propagate sentry-trace and baggage headers to Huey tasks (#2792) by @cnschn
Added Event type (#2753) by @szokeasaurusrex
Improve scrub_dict typing (#2768) by @szokeasaurusrex
Dependencies: bump types-protobuf from 4.24.0.20240302 to 4.24.0.20240311 (#2797) by @dependabot
v1.41.0Compare Source
Various fixes & improvements
Add recursive scrubbing to
EventScrubber(#2755) by @Cheapshot003By default, the
EventScrubberwill not search your events for potentialPII recursively. With this release, you can enable this behavior with:
...your usual settings...
)
scrub_list(#2769) by @szokeasaurusrextypes-protobuffrom 4.24.0.20240129 to 4.24.0.20240302 (#2782) by @dependabotcheckouts/data-schemasfromeb941c2toed078ed(#2781) by @dependabotv1.40.6Compare Source
Various fixes & improvements
greenlet/gevent(#2756) by @sentrivanaclickhouse-driver==0.2.7(#2752) by @sentrivanacheckouts/data-schemasfrom6121fd3toeb941c2(#2747) by @dependabotv1.40.5Compare Source
Various fixes & improvements
Deprecate
last_event_id(). (#2749) by @antonpirkerWarn if uWSGI is set up without proper thread support (#2738) by @sentrivana
uWSGI has to be run in threaded mode for the SDK to run properly. If this is
not the case, the consequences could range from features not working unexpectedly
to uWSGI workers crashing.
Please make sure to run uWSGI with both
--enable-threadsand--py-call-uwsgi-fork-hooks.parsed_urlcan beNone(#2734) by @sentrivanaPython 3.7 is not supported anymore by Lambda, so removed it and added 3.12 (#2729) by @antonpirker
v1.40.4Compare Source
Various fixes & improvements
aa7058cto6121fd3(#2724) by @dependabotv1.40.3Compare Source
Various fixes & improvements
v1.40.2Compare Source
Various fixes & improvements
pytesterror (#2712) by @szokeasaurusrexv1.40.1Compare Source
Various fixes & improvements
gevent(#2694) by @sentrivanaengine.urlbeingNone(#2708) by @sentrivanasentry_sdk.utils._generate_installed_modules(#2703) by @GlenWalkercodecov/codecov-actionfrom 3 to 4 (#2706) by @dependabotactions/cachefrom 3 to 4 (#2661) by @dependabotactions/checkoutfrom 3.1.0 to 4.1.1 (#2561) by @dependabotgithub/codeql-actionfrom 2 to 3 (#2603) by @dependabotactions/setup-pythonfrom 4 to 5 (#2577) by @dependabotv1.40.0Compare Source
Various fixes & improvements
UnicodeDecodeErroron Python 2 (#2657) by @sentrivanablack==24.1.0(#2680) by @sentrivanasentry_sdk.tracetype hints (#2633) by @szokeasaurusrexcheckouts/data-schemasfrome9f7d58toaa7058c(#2639) by @dependabotv1.39.2Compare Source
Various fixes & improvements
TypeErrorfor static and class methods (#2559) by @szokeasaurusrexctxin Arq integration (#2600) by @ivanovartdata_categoryfromcheck_intomonitor(#2598) by @sentrivanav1.39.1Compare Source
Various fixes & improvements
error_samplerfunction (#2511) by @antonpirkeraiohttp(#2590) by @antonpirkerv1.39.0Compare Source
Various fixes & improvements
TypeErrorwith no-argumentapply_async(#2575) by @szokeasaurusrexos.path.devnullaccess issues (#2579) by @sentrivanacode.filepathframe picking logic (#2568) by @sentrivanav1.38.0Compare Source
Various fixes & improvements
event_processorsfor checkins (#2536) by @antonpirkerjinja2for generating CI yamls (#2534) by @sentrivanav1.37.1Compare Source
Various fixes & improvements
NameErroronparse_versionwith eventlet (#2532) by @sentrivana68def1etoe9f7d58(#2501) by @dependabotv1.37.0Compare Source
Various fixes & improvements
Move installed modules code to utils (#2429) by @sentrivana
Note: We moved the internal function
_get_installed_modulesfromsentry_sdk.integrations.modulestosentry_sdk.utils.So if you use this function you have to update your imports
Add code locations for metrics (#2526) by @jan-auer
Add query source to DB spans (#2521) by @antonpirker
Send events to Spotlight sidecar (#2524) by @HazAT
Run integration tests with newest
pytest(#2518) by @sentrivanaBring tests up to date (#2512) by @sentrivana
Fix: Prevent global var from being discarded at shutdown (#2530) by @antonpirker
Fix: Scope transaction source not being updated in scope.span setter (#2519) by @sl0thentr0py
v1.36.0Compare Source
Various fixes & improvements
RedisIntegrationis disabled, unlessredisis installed (#2504) by @szokeasaurusrexv1.35.0Compare Source
Various fixes & improvements
Updated gRPC integration: Asyncio interceptors and easier setup (#2369) by @fdellekart
Our gRPC integration now instruments incoming unary-unary grpc requests and outgoing unary-unary, unary-stream grpc requests using grpcio channels. Everything works now for sync and async code.
Before this release you had to add Sentry interceptors by hand to your gRPC code, now the only thing you need to do is adding the
GRPCIntegrationto yousentry_sdk_init()call. (See documentation for more information):The old way still works, but we strongly encourage you to update your code to the way described above.
Python 3.12: Replace deprecated datetime functions (#2502) by @sentrivana
Metrics: Unify datetime format (#2409) by @mitsuhiko
Celery: Set correct data in
check_ins (#2500) by @antonpirkerCelery: Read timezone for Crons monitors from
celery_scheduleif existing (#2497) by @antonpirkerDjango: Removing redundant code in Django tests (#2491) by @vagi8
Django: Make reading the request body work in Django ASGI apps. (#2495) by @antonpirker
FastAPI: Use wraps on fastapi request call wrapper (#2476) by @nkaras
Fix: Probe for psycopg2 and psycopg3 parameters function. (#2492) by @antonpirker
Fix: Remove unnecessary TYPE_CHECKING alias (#2467) by @rafrafek
v1.34.0Compare Source
Various fixes & improvements
connection_kwargsinpatch_redis_client(#2482) by @szokeasaurusrexv1.33.1Compare Source
Various fixes & improvements
v1.33.0Compare Source
Various fixes & improvements
error_sampleroption (#2456) by @szokeasaurusrexdebugoption also configurable via environment (#2450) by @antonpirkerget_dsn_parametersis an actual function (#2441) by @sentrivanaredisdatabase spans (#2398) by @antonpirkerpathpatterns (#2452) by @sentrivanav1.32.0Compare Source
Various fixes & improvements
Add GQL GraphQL integration (#2368) by @szokeasaurusrex
Usage:
Add Graphene GraphQL error integration (#2389) by @sentrivana
Usage:
Add Strawberry GraphQL error & tracing integration (#2393) by @sentrivana
Usage:
make sure to set async_execution to False if you're executing
GraphQL queries synchronously
Add Ariadne GraphQL error integration (#2387) by @sentrivana
Usage:
Capture multiple named groups again (#2432) by @sentrivana
Don't fail when upstream scheme is unusual (#2371) by @vanschelven
Support new RQ version (#2405) by @antonpirker
Remove
utcnow,utcfromtimestampdeprecated in Python 3.12 (#2415) by @rmad17Add
traceto__all__in top-level__init__.py(#2401) by @lobsterkatieMove minimetrics code to the SDK (#2385) by @mitsuhiko
Add configurable compression levels (#2382) by @mitsuhiko
Shift flushing by up to a rollup window (#2396) by @mitsuhiko
Make a consistent noop flush behavior (#2428) by @mitsuhiko
Stronger recursion protection (#2426) by @mitsuhiko
Remove
OpenTelemetryIntegrationfrom__init__.py(#2379) by @sentrivanaUpdate API docs (#2397) by @antonpirker
Pin some test requirements because new majors break our tests (#2404) by @antonpirker
Run more
requests,celery,falcontests (#2414) by @sentrivanaMove
importorskips in tests to__init__.pyfiles (#2412) by @sentrivanaFix
mypyerrors (#2433) by @sentrivanaFix pre-commit issues (#2424) by @bukzor-sentryio
Update CONTRIBUTING.md (#2411) by @sentrivana
Bump
sphinxfrom 7.2.5 to 7.2.6 (#2378) by @dependabot[Experimental] Add explain plan to DB spans (#2315) by @antonpirker
v1.31.0Compare Source
Various fixes & improvements
New: Add integration for
clickhouse-driver(#2167) by @mimre25For more information, see the documentation for clickhouse-driver for more information.
Usage:
New: Add integration for
asyncpg(#2314) by @mimre25For more information, see the documentation for asyncpg for more information.
Usage:
New: Allow to override
propagate_tracesinCeleryper task (#2331) by @jan-auerFor more information, see the documentation for Celery for more information.
Usage:
Enable global distributed traces (this is the default, just to be explicit.)
This will NOT propagate the trace. (The task will start its own trace):
v1.30.0Compare Source
Various fixes & improvements
Officially support Python 3.11 (#2300) by @sentrivana
Context manager monitor (#2290) by @szokeasaurusrex
Set response status code in transaction
responsecontext. (#2312) by @antonpirkerAdd missing context kwarg to
_sentry_task_factory(#2267) by @JohnnyDeussIn Postgres take the connection params from the connection (#2308) by @antonpirker
Experimental: Allow using OTel for performance instrumentation (#2272) by @sentrivana
This release includes experimental support for replacing Sentry's default
performance monitoring solution with one powered by OpenTelemetry without having
to do any manual setup.
Try it out by installing
pip install sentry-sdk[opentelemetry-experimental]andthen initializing the SDK with:
...your usual options...
Enable backpressure handling by default (#2298) by @sl0thentr0py
The SDK now dynamically downsamples transactions to reduce backpressure in high
throughput systems. It starts a new
Monitorthread to perform some health checkswhich decide to downsample (halved each time) in 10 second intervals till the system
is healthy again.
To disable this behavior, use:
...your usual options...
ThreadPoolExecutor(#2259) by @gggritsoScope.update_from_*(#2311) by @sentrivanais_sentry_urlto utils (#2304) by @szokeasaurusrexConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.