The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.
Details
In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:
If you'd want to not pass any variables, you can set an empty dict:
>>> subprocess.check_output(["env"], env={})
b''
However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:
In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.
### References
* Sentry docs: [Default integrations](https://docs.sentry.io/platforms/python/integrations/default-integrations/)
* Python docs: [subprocess module](https://docs.python.org/3/library/subprocess.html)
* Patch [https://github.com/getsentry/sentry-python/pull/3251](https://redirect.github.com/getsentry/sentry-python/pull/3251)
---
### Release Notes
<details>
<summary>getsentry/sentry-python (sentry-sdk)</summary>
### [`v2.8.0`](https://redirect.github.com/getsentry/sentry-python/blob/HEAD/CHANGELOG.md#280)
[Compare Source](https://redirect.github.com/getsentry/sentry-python/compare/2.7.1...2.8.0)
##### Various fixes & improvements
- `profiler_id` uses underscore ([#​3249](https://redirect.github.com/getsentry/sentry-python/issues/3249)) by [@​Zylphrex](https://redirect.github.com/Zylphrex)
- Don't send full env to subprocess ([#​3251](https://redirect.github.com/getsentry/sentry-python/issues/3251)) by [@​kmichel-aiven](https://redirect.github.com/kmichel-aiven)
- Stop using `Hub` in `HttpTransport` ([#​3247](https://redirect.github.com/getsentry/sentry-python/issues/3247)) by [@​szokeasaurusrex](https://redirect.github.com/szokeasaurusrex)
- Remove `ipdb` from test requirements ([#​3237](https://redirect.github.com/getsentry/sentry-python/issues/3237)) by [@​rominf](https://redirect.github.com/rominf)
- Avoid propagation of empty baggage ([#​2968](https://redirect.github.com/getsentry/sentry-python/issues/2968)) by [@​hartungstenio](https://redirect.github.com/hartungstenio)
- Add entry point for `SentryPropagator` ([#​3086](https://redirect.github.com/getsentry/sentry-python/issues/3086)) by [@​mender](https://redirect.github.com/mender)
- Bump checkouts/data-schemas from `8c13457` to `88273a9` ([#​3225](https://redirect.github.com/getsentry/sentry-python/issues/3225)) by [@​dependabot](https://redirect.github.com/dependabot)
### [`v2.7.1`](https://redirect.github.com/getsentry/sentry-python/blob/HEAD/CHANGELOG.md#271)
[Compare Source](https://redirect.github.com/getsentry/sentry-python/compare/2.7.0...2.7.1)
##### Various fixes & improvements
- fix(otel): Fix missing baggage ([#​3218](https://redirect.github.com/getsentry/sentry-python/issues/3218)) by [@​sentrivana](https://redirect.github.com/sentrivana)
- This is the config file of asdf-vm which we do not use. ([#​3215](https://redirect.github.com/getsentry/sentry-python/issues/3215)) by [@​antonpirker](https://redirect.github.com/antonpirker)
- Added option to disable middleware spans in Starlette ([#​3052](https://redirect.github.com/getsentry/sentry-python/issues/3052)) by [@​antonpirker](https://redirect.github.com/antonpirker)
- build: Update tornado version in setup.py to match code check. ([#​3206](https://redirect.github.com/getsentry/sentry-python/issues/3206)) by [@​aclemons](https://redirect.github.com/aclemons)
</details>
---
### Configuration
š **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
ā» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/liqd/tempelhof).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MzEuNCIsInVwZGF0ZWRJblZlciI6IjM4LjU5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInJlbm92YXRlIl19-->
This PR contains the following updates:
==2.7.0->==2.8.0GitHub Vulnerability Alerts
CVE-2024-40647
Impact
The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the
env={}setting.Details
In Python's
subprocesscalls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may useenvargument insubprocesscalls, like in this example:If you'd want to not pass any variables, you can set an empty dict:
However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when
env={}is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.Patches
The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:
env={}with the minimal dictenv={"EMPTY_ENV":"1"}or similar.OR
Should go before sentry_sdk.init
sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")
sentry_sdk.init(...)