search

getsentry / sentry-ruby

Sentry SDK for Ruby
https://sentry.io/for/ruby
MIT License
933 stars 494 forks source link

SessionFlusher ignores enabled_environments config #2234

Closed Galathius closed 9 months ago

Galathius commented 9 months ago

Issue Description

Recently we started using Sentry Releases feature, which required adding this configuration into our Sentry initializer:

Sentry.init do |config|
  config.dsn = Settings.sentry.dsn
  config.enabled_environments = %w[staging production]
  config.release = 'test-release' # <--- New config
end

Unfortunately, even having enabled only staging and production environments, Sentry gem still tries to send Session info in the development environment (where we have fake dsn). This leads to the next error in the logs in 1 minutes after rails server boot and processing the first request:

2024-01-16 15:24:29.174419 I Rails -- sentry -- [Transport] Sending envelope with items [sessions]  to Sentry
2024-01-16 15:24:29.464377 E Rails -- sentry -- exception happened in background worker: the server responded with status 403
body:
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta http-equiv="content-type" content="text/html; charset=utf-8">
        <meta name="robots" content="NONE,NOARCHIVE">
        <link href="https://s1.sentry-cdn.com/_static/4fc9771d060bd95f1ae524d288b5113c/sentry/images/favicon.ico" rel="shortcut icon" type="image/png"/>
        <link href="https://s1.sentry-cdn.com/_static/dist/sentry/entrypoints-hashed/sentry-_T-wZwCCznWSPyllnW1TsVKgRkJORZKGIT_ZNYwFNG4.css" rel="stylesheet" type="text/css" />

        <title>CSRF Verification Failed | Sentry</title>

        <style type="text/css">
          header {
            padding: 40px 0;
            font-size: 15px;
            margin-bottom: 40px;
          }
          .container {
            max-width: 1040px;
          }
        </style>

    </head>

    <body>

        <header>
            <div class="container">
                <div class="pull-left">
                    <a href="/" id="logo"><img src="https://s1.sentry-cdn.com/_static/4fc9771d060bd95f1ae524d288b5113c/getsentry/images/logo.png" /></a>
                </div>
            </div>
        </header>

        <section id="content">

            <div class="container">
                <div class="page-header">
                    <h2>CSRF Verification Failed</h2>
                </div>

                <p>A required security token was not found or was invalid.</p>

                <p>If you're continually seeing this issue, try the following:</p>

                <ol>
                  <li>Clear cookies (at least for Sentry's domain).</li>
                  <li>Reload the page you're trying to submit (don't re-submit data).</li>
                  <li>Re-enter the information, and submit the form again.</li>
                  <li>Ensure the URL does not contain an extra "/" anywhere (eg: https://foo//saml -> https://foo/saml).</li>
                </ol>

                <p>Read more about <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF on Wikipedia</a>.</p>

                <div class="page-header">
                    <h3>System Status</h3>
                </div>

                <p><strong><span id="official-system-status"></span></strong></p>

                <p>If our status page says we're up but something is clearly wrong, <a href="mailto:support@sentry.io">let us know</a> what you're seeing.</p>

                <script nonce="EtZB05K0phwCqYprzxO7RQ==" src="https://statuspage-production.s3.amazonaws.com/se.js" type="text/javascript"></script>
                <script nonce="EtZB05K0phwCqYprzxO7RQ==" type="text/javascript">window.fetchStatusPage({
                    pageId: 't687h3m0nh65',
                    renderTo: '#official-system-status'
                  });</script>
            </div>

        </section>
    </body>
</html>

Reproduction Steps

1) $ rails new test-sentry-ruby 2) $ cd test-sentry-ruby 3) $ bundle add sentry-ruby sentry-rails 4) Add config/initializers/sentry.rb with the next configuration:

Sentry.init do |config|
  config.dsn = 'https://your_publick_key:your_secret_key@app.getsentry.com/app_id'
  config.enabled_environments = %w[staging production]
  config.release = 'development'
end

5) Run rails server and open the home page in the browser - http://localhost:3000/ 6) In ~1 minute open development.log file

Expected Behavior

No Sentry-related errors in logs as development env is not listed in enabled_enviroments.

Actual Behavior

Bunch of errors in development.log file:

[Transport] Sending envelope with items [sessions]  to Sentry
exception happened in background worker: the server responded with status 403
body: 
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta http-equiv="content-type" content="text/html; charset=utf-8">
        <meta name="robots" content="NONE,NOARCHIVE">
        <link href="https://s1.sentry-cdn.com/_static/37561d1b0c525e24a2dcdceba9b98b16/sentry/images/favicon.ico" rel="shortcut icon" type="image/png"/>
        <link href="https://s1.sentry-cdn.com/_static/dist/sentry/entrypoints-hashed/sentry-_T-wZwCCznWSPyllnW1TsVKgRkJORZKGIT_ZNYwFNG4.css" rel="stylesheet" type="text/css" />

        <title>CSRF Verification Failed | Sentry</title>

        <style type="text/css">
          header {
            padding: 40px 0;
            font-size: 15px;
            margin-bottom: 40px;
          }
          .container {
            max-width: 1040px;
          }
        </style>

    </head>

    <body>

        <header>
            <div class="container">
                <div class="pull-left">
                    <a href="/" id="logo"><img src="https://s1.sentry-cdn.com/_static/37561d1b0c525e24a2dcdceba9b98b16/getsentry/images/logo.png" /></a>
                </div>
            </div>
        </header>

        <section id="content">

            <div class="container">
                <div class="page-header">
                    <h2>CSRF Verification Failed</h2>
                </div>

                <p>A required security token was not found or was invalid.</p>

                <p>If you're continually seeing this issue, try the following:</p>

                <ol>
                  <li>Clear cookies (at least for Sentry's domain).</li>
                  <li>Reload the page you're trying to submit (don't re-submit data).</li>
                  <li>Re-enter the information, and submit the form again.</li>
                  <li>Ensure the URL does not contain an extra "/" anywhere (eg: https://foo//saml -> https://foo/saml).</li>
                </ol>

                <p>Read more about <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF on Wikipedia</a>.</p>

                <div class="page-header">
                    <h3>System Status</h3>
                </div>

                <p><strong><span id="official-system-status"></span></strong></p>

                <p>If our status page says we're up but something is clearly wrong, <a href="mailto:support@sentry.io">let us know</a> what you're seeing.</p>

                <script nonce="ftrv4tdops1H9vWTzA253g==" src="https://statuspage-production.s3.amazonaws.com/se.js" type="text/javascript"></script>
                <script nonce="ftrv4tdops1H9vWTzA253g==" type="text/javascript">window.fetchStatusPage({
                    pageId: 't687h3m0nh65',
                    renderTo: '#official-system-status'
                  });</script>
            </div>

        </section>
    </body>
</html>

Ruby Version

3.2.2

SDK Version

5.16.1 (also confirmed in 5.5)

Integration and Its Version

Rails = 7.1.2 (also confirmed in Rails 7.0.4)

Sentry Config

Sentry.init do |config|
  config.dsn = 'https://your_publick_key:your_secret_key@app.getsentry.com/app_id'
  config.enabled_environments = %w[staging production]
  config.release = 'development'
end
sl0thentr0py commented 9 months ago

yep need to add a check there, thanks for reporting!

st0012 commented 9 months ago

I can take a look at this.