stencila / hub

☸️ Hub for executable documents
https://hub.stenci.la
Apache License 2.0
31 stars 4 forks source link

chore(deps): update dependency sentry-sdk to v2 [security] - autoclosed #1391

Closed renovate[bot] closed 3 months ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sentry-sdk (changelog) ==1.3.1 -> ==2.8.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-28117

Impact

When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.

The below must be true in order for these sensitive values to be leaked:

  1. Your Sentry SDK configuration has sendDefaultPII set to True
  2. You are using a custom name for either of the cookies below in your Django settings.
  3. You are not configured in your organization or project settings to use our data scrubbing features to account for the custom cookie names

Patches

As of version 1.14.0, the Django integration of the sentry-sdk will detect the custom cookie names based on your Django settings and will remove the values from the payload before sending the data to Sentry.

Workarounds

If you can not update your sentry-sdk to a patched version than you can use the SDKs filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events this can be done with the before_send callback method and for performance related events (transactions) you can use the before_send_transaction callback method.

If you'd like to handle filtering of these values on the server-side, you can also use our advanced data scrubbing feature to account for the custom cookie names. Look for the $http.cookies, $http.headers, $request.cookies, or $request.headers fields to target with your scrubbing rule.

References

Credits

CVE-2024-40647

Impact

The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.

Details

In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:

>>> subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'

If you'd want to not pass any variables, you can set an empty dict:

>>> subprocess.check_output(["env"], env={})
b''

However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.

Patches

The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:

  1. In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.

OR

  1. Disable Stdlib integration:
    
    import sentry_sdk

Should go before sentry_sdk.init

sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")

sentry_sdk.init(...)


### References
* Sentry docs: [Default integrations](https://docs.sentry.io/platforms/python/integrations/default-integrations/)
* Python docs: [subprocess module](https://docs.python.org/3/library/subprocess.html)
* Patch [https://github.com/getsentry/sentry-python/pull/3251](https://togithub.com/getsentry/sentry-python/pull/3251)

---

### Release Notes

<details>
<summary>getsentry/sentry-python (sentry-sdk)</summary>

### [`v2.8.0`](https://togithub.com/getsentry/sentry-python/blob/HEAD/CHANGELOG.md#280)

[Compare Source](https://togithub.com/getsentry/sentry-python/compare/2.7.1...2.8.0)

##### Various fixes & improvements

-   `profiler_id` uses underscore ([#&#8203;3249](https://togithub.com/getsentry/sentry-python/issues/3249)) by [@&#8203;Zylphrex](https://togithub.com/Zylphrex)
-   Don't send full env to subprocess ([#&#8203;3251](https://togithub.com/getsentry/sentry-python/issues/3251)) by [@&#8203;kmichel-aiven](https://togithub.com/kmichel-aiven)
-   Stop using `Hub` in `HttpTransport` ([#&#8203;3247](https://togithub.com/getsentry/sentry-python/issues/3247)) by [@&#8203;szokeasaurusrex](https://togithub.com/szokeasaurusrex)
-   Remove `ipdb` from test requirements ([#&#8203;3237](https://togithub.com/getsentry/sentry-python/issues/3237)) by [@&#8203;rominf](https://togithub.com/rominf)
-   Avoid propagation of empty baggage ([#&#8203;2968](https://togithub.com/getsentry/sentry-python/issues/2968)) by [@&#8203;hartungstenio](https://togithub.com/hartungstenio)
-   Add entry point for `SentryPropagator` ([#&#8203;3086](https://togithub.com/getsentry/sentry-python/issues/3086)) by [@&#8203;mender](https://togithub.com/mender)
-   Bump checkouts/data-schemas from `8c13457` to `88273a9` ([#&#8203;3225](https://togithub.com/getsentry/sentry-python/issues/3225)) by [@&#8203;dependabot](https://togithub.com/dependabot)

### [`v2.7.1`](https://togithub.com/getsentry/sentry-python/blob/HEAD/CHANGELOG.md#271)

[Compare Source](https://togithub.com/getsentry/sentry-python/compare/2.7.0...2.7.1)

##### Various fixes & improvements

-   fix(otel): Fix missing baggage ([#&#8203;3218](https://togithub.com/getsentry/sentry-python/issues/3218)) by [@&#8203;sentrivana](https://togithub.com/sentrivana)
-   This is the config file of asdf-vm which we do not use. ([#&#8203;3215](https://togithub.com/getsentry/sentry-python/issues/3215)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   Added option to disable middleware spans in Starlette ([#&#8203;3052](https://togithub.com/getsentry/sentry-python/issues/3052)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   build: Update tornado version in setup.py to match code check. ([#&#8203;3206](https://togithub.com/getsentry/sentry-python/issues/3206)) by [@&#8203;aclemons](https://togithub.com/aclemons)

### [`v2.7.0`](https://togithub.com/getsentry/sentry-python/blob/HEAD/CHANGELOG.md#270)

[Compare Source](https://togithub.com/getsentry/sentry-python/compare/2.6.0...2.7.0)

-   Add `origin` to spans and transactions ([#&#8203;3133](https://togithub.com/getsentry/sentry-python/issues/3133)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   OTel: Set up typing for OTel ([#&#8203;3168](https://togithub.com/getsentry/sentry-python/issues/3168)) by [@&#8203;sentrivana](https://togithub.com/sentrivana)
-   OTel: Auto instrumentation skeleton ([#&#8203;3143](https://togithub.com/getsentry/sentry-python/issues/3143)) by [@&#8203;sentrivana](https://togithub.com/sentrivana)
-   OpenAI: If there is an internal error, still return a value ([#&#8203;3192](https://togithub.com/getsentry/sentry-python/issues/3192)) by [@&#8203;colin-sentry](https://togithub.com/colin-sentry)
-   MongoDB: Add MongoDB collection span tag ([#&#8203;3182](https://togithub.com/getsentry/sentry-python/issues/3182)) by [@&#8203;0Calories](https://togithub.com/0Calories)
-   MongoDB: Change span operation from `db.query` to `db` ([#&#8203;3186](https://togithub.com/getsentry/sentry-python/issues/3186)) by [@&#8203;0Calories](https://togithub.com/0Calories)
-   MongoDB: Remove redundant command name in query description ([#&#8203;3189](https://togithub.com/getsentry/sentry-python/issues/3189)) by [@&#8203;0Calories](https://togithub.com/0Calories)
-   Apache Spark: Fix spark driver integration ([#&#8203;3162](https://togithub.com/getsentry/sentry-python/issues/3162)) by [@&#8203;seyoon-lim](https://togithub.com/seyoon-lim)
-   Apache Spark: Add Spark test suite to tox.ini and to CI ([#&#8203;3199](https://togithub.com/getsentry/sentry-python/issues/3199)) by [@&#8203;sentrivana](https://togithub.com/sentrivana)
-   Codecov: Add failed test commits in PRs ([#&#8203;3190](https://togithub.com/getsentry/sentry-python/issues/3190)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   Update library, Python versions in tests ([#&#8203;3202](https://togithub.com/getsentry/sentry-python/issues/3202)) by [@&#8203;sentrivana](https://togithub.com/sentrivana)
-   Remove Hub from our test suite ([#&#8203;3197](https://togithub.com/getsentry/sentry-python/issues/3197)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   Use env vars for default CA cert bundle location ([#&#8203;3160](https://togithub.com/getsentry/sentry-python/issues/3160)) by [@&#8203;DragoonAethis](https://togithub.com/DragoonAethis)
-   Create a separate test group for AI ([#&#8203;3198](https://togithub.com/getsentry/sentry-python/issues/3198)) by [@&#8203;sentrivana](https://togithub.com/sentrivana)
-   Add additional stub packages for type checking ([#&#8203;3122](https://togithub.com/getsentry/sentry-python/issues/3122)) by [@&#8203;Daverball](https://togithub.com/Daverball)
-   Proper naming of requirements files ([#&#8203;3191](https://togithub.com/getsentry/sentry-python/issues/3191)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   Pinning pip because new version does not work with some versions of Celery and Httpx ([#&#8203;3195](https://togithub.com/getsentry/sentry-python/issues/3195)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   build(deps): bump supercharge/redis-github-action from 1.7.0 to 1.8.0 ([#&#8203;3193](https://togithub.com/getsentry/sentry-python/issues/3193)) by [@&#8203;dependabot](https://togithub.com/dependabot)
-   build(deps): bump actions/checkout from 4.1.6 to 4.1.7 ([#&#8203;3171](https://togithub.com/getsentry/sentry-python/issues/3171)) by [@&#8203;dependabot](https://togithub.com/dependabot)
-   build(deps): update pytest-asyncio requirement ([#&#8203;3087](https://togithub.com/getsentry/sentry-python/issues/3087)) by [@&#8203;dependabot](https://togithub.com/dependabot)

### [`v2.6.0`](https://togithub.com/getsentry/sentry-python/blob/HEAD/CHANGELOG.md#260)

[Compare Source](https://togithub.com/getsentry/sentry-python/compare/2.5.1...2.6.0)

-   Introduce continuous profiling mode ([#&#8203;2830](https://togithub.com/getsentry/sentry-python/issues/2830)) by [@&#8203;Zylphrex](https://togithub.com/Zylphrex)
-   Profiling: Add deprecation comment for profiler internals ([#&#8203;3167](https://togithub.com/getsentry/sentry-python/issues/3167)) by [@&#8203;sentrivana](https://togithub.com/sentrivana)
-   Profiling: Move thread data to trace context ([#&#8203;3157](https://togithub.com/getsentry/sentry-python/issues/3157)) by [@&#8203;Zylphrex](https://togithub.com/Zylphrex)
-   Explicitly export cron symbols for typecheckers ([#&#8203;3072](https://togithub.com/getsentry/sentry-python/issues/3072)) by [@&#8203;spladug](https://togithub.com/spladug)
-   Cleaning up ASGI tests for Django ([#&#8203;3180](https://togithub.com/getsentry/sentry-python/issues/3180)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   Celery: Add Celery receive latency ([#&#8203;3174](https://togithub.com/getsentry/sentry-python/issues/3174)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   Metrics: Update type hints for tag values ([#&#8203;3156](https://togithub.com/getsentry/sentry-python/issues/3156)) by [@&#8203;elramen](https://togithub.com/elramen)
-   Django: Fix psycopg3 reconnect error ([#&#8203;3111](https://togithub.com/getsentry/sentry-python/issues/3111)) by [@&#8203;szokeasaurusrex](https://togithub.com/szokeasaurusrex)
-   Tracing: Keep original function signature when decorated ([#&#8203;3178](https://togithub.com/getsentry/sentry-python/issues/3178)) by [@&#8203;sentrivana](https://togithub.com/sentrivana)
-   Reapply "Refactor the Celery Beat integration ([#&#8203;3105](https://togithub.com/getsentry/sentry-python/issues/3105))" ([#&#8203;3144](https://togithub.com/getsentry/sentry-python/issues/3144)) ([#&#8203;3175](https://togithub.com/getsentry/sentry-python/issues/3175)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   Added contributor image to readme ([#&#8203;3183](https://togithub.com/getsentry/sentry-python/issues/3183)) by [@&#8203;antonpirker](https://togithub.com/antonpirker)
-   bump actions/checkout from 4.1.4 to 4.1.6 ([#&#8203;3147](https://togithub.com/getsentry/sentry-python/issues/3147)) by [@&#8203;dependabot](https://togithub.com/dependabot)
-   bump checkouts/data-schemas from `59f9683` to `8c13457` ([#&#8203;3146](https://togithub.com/getsentry/sentry-python/issues/3146)) by [@&#8203;dependabot](https://togithub.com/dependabot)

### [`v2.5.1`](https://togithub.com/getsentry/sentry-python/blob/HEAD/CHANGELOG.md#251)

[Compare Source](https://togithub.com/getsentry/sentry-python/compare/2.5.0...2.5.1)

This change fixes a regression in our cron monitoring feature, which caused cron checkins not to be sent. The regression appears to have been introduced in version 2.4.0.

**We recommend that all users, who use Cron monitoring and are currently running sentry-python ≥2.4.0, upgrade to this release as soon as possible!**

##### Other fixes & improvements

-   feat(tracing): Warn if not-started transaction entered ([#&#8203;3003](https://togithub.com/getsentry/sentry-python/issues/3003)) by [@&#8203;szokeasaurusrex](https://togithub.com/szokeasaurusrex)
-   test(scope): Ensure `last_event_id` cleared ([#&#8203;3124](https://togithub.com/getsentry/sentry-python/issues/3124)) by [@&#8203;szokeasaurusrex](https://togithub.com/szokeasaurusrex)
-   fix(scope): Clear last_event_id on scope clear ([#&#8203;3124](https://togithub.com/getsentry/sentry-python/issues/3124)) by [@&#8203;szokeasaurusrex](https://togithub.com/szokeasaurusrex)

### [`v2.5.0`](https://togithub.com/getsentry/sentry-python/blob/HEAD/CHANGELOG.md#250)

[Compare Source](https://togithub.com/getsentry/sentry-python/compare/2.4.0...2.5.0)

##### Various fixes & improvements

-   Allow to configure status codes to report to Sentry in Starlette and FastAPI ([#&#8203;3008](https://togithub.com/getsentry/sentry-python/issues/3008)) by [@&#8203;sentrivana](https://togithub.com/sentrivana)

    By passing a new option to the FastAPI and Starlette integrations, you're now able to configure what
    status codes should be sent as events to Sentry. Here's how it works:

    ```python
    from sentry_sdk.integrations.starlette import StarletteIntegration
    from sentry_sdk.integrations.fastapi import FastApiIntegration

    sentry_sdk.init(

...

  integrations=[
      StarletteIntegration(
          failed_request_status_codes=[403, range(500, 599)],
      ),
      FastApiIntegration(
          failed_request_status_codes=[403, range(500, 599)],
      ),
  ]

)


`failed_request_status_codes` expects a list of integers or containers (objects that allow membership checks via `in`)
of integers. Examples of valid `failed_request_status_codes`:

- `[500]` will only send events on HTTP 500.
- `[400, range(500, 599)]` will send events on HTTP 400 as well as the 500-599 range.
- `[500, 503]` will send events on HTTP 500 and 503.

The default is `[range(500, 599)]`.

See the [FastAPI](https://docs.sentry.io/platforms/python/integrations/fastapi/) and [Starlette](https://docs.sentry.io/platforms/python/integrations/starlette/) integration docs for more details.

- Support multiple keys with `cache_prefixes` (#&#8203;3136) by @&#8203;sentrivana
- Support integer Redis keys (#&#8203;3132) by @&#8203;sentrivana
- Update SDK version in CONTRIBUTING.md (#&#8203;3129) by @&#8203;sentrivana
- Bump actions/checkout from 4.1.4 to 4.1.5 (#&#8203;3067) by @&#8203;dependabot

v2.4.0

Compare Source

Various fixes & improvements

v2.3.1

Compare Source

Various fixes & improvements

v2.3.0

Compare Source

Various fixes & improvements

v2.2.1

Compare Source

Various fixes & improvements

v2.2.0

Compare Source

New features
Other fixes & improvements

v2.1.1

Compare Source

v2.1.0

Compare Source

v2.0.1

Compare Source

Various fixes & improvements

v2.0.0

Compare Source

This is the first major update in a long time!

We dropped support for some ancient languages and frameworks (Yes, Python 2.7 is no longer supported). Additionally we refactored a big part of the foundation of the SDK (how data inside the SDK is handled).

We hope you like it!

For a shorter version of what you need to do, to upgrade to Sentry SDK 2.0 see: https://docs.sentry.io/platforms/python/migration/1.x-to-2.x

New Features
Changed

(These changes are all backwards-incompatible. Breaking Change (if you are just skimming for that phrase))

later in the code execution:

with sentry_sdk.configure_scope() as scope:
    scope.set_transaction_name("new-transaction-name")
```

needs to be changed to this:
```python
transaction = sentry_sdk.transaction(...)

later in the code execution:

scope = sentry_sdk.Scope.get_current_scope()
scope.set_transaction_name("new-transaction-name")
```
Removed

(These changes are all backwards-incompatible. Breaking Change (if you are just skimming for that phrase))

Deprecated

do something


After:

```python
import sentry_sdk

with sentry_sdk.start_span(...):

### do something

do something with the cloned hub


After:

```python
import sentry_sdk

with sentry_sdk.isolation_scope() as scope:

### do something with the forked scope

do something with scope


After:

```python
from sentry_sdk.scope import Scope

scope = Scope.get_isolation_scope()

v1.45.1

Compare Source

This is a security backport release.

v1.45.0

Compare Source

This is the final 1.x release for the forseeable future. Development will continue on the 2.x release line. The first 2.x version will be available in the next few weeks.

Various fixes & improvements

v1.44.1

Compare Source

Various fixes & improvements

v1.44.0

Compare Source

Various fixes & improvements

v1.43.0

Compare Source

Various fixes & improvements

...your usual settings...

  keep_alive=True,

)


- Add support for Celery Redbeat cron tasks (#&#8203;2643) by @&#8203;kwigley

The SDK now supports the Redbeat scheduler in addition to the default
Celery Beat scheduler for auto instrumenting crons. See
[the docs](https://docs.sentry.io/platforms/python/integrations/celery/crons/)
for more information about how to set this up.

- `aws_event` can be an empty list (#&#8203;2849) by @&#8203;sentrivana
- Re-export `Event` in `types.py` (#&#8203;2829) by @&#8203;szokeasaurusrex
- Small API docs improvement (#&#8203;2828) by @&#8203;antonpirker
- Fixed OpenAI tests (#&#8203;2834) by @&#8203;antonpirker
- Bump `checkouts/data-schemas` from `ed078ed` to `8232f17` (#&#8203;2832) by @&#8203;dependabot

v1.42.0

Compare Source

Various fixes & improvements

v1.41.0

Compare Source

Various fixes & improvements

...your usual settings...

  event_scrubber=EventScrubber(recursive=True),

)


- Expose `socket_options` (#&#8203;2786) by @&#8203;sentrivana

If the SDK is experiencing connection issues (connection resets, server
closing connection without response, etc.) while sending events to Sentry,
tweaking the default `urllib3` socket options to the following can help:

```python
import socket
from urllib3.connection import HTTPConnection
import sentry_sdk

sentry_sdk.init(

### ...your usual settings...
    socket_options=HTTPConnection.default_socket_options + [
        (socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1),

### note: skip the following line if you're on MacOS since TCP_KEEPIDLE doesn't exist there
        (socket.SOL_TCP, socket.TCP_KEEPIDLE, 45),
        (socket.SOL_TCP, socket.TCP_KEEPINTVL, 10),
        (socket.SOL_TCP, socket.TCP_KEEPCNT, 6),
    ],
)

v1.40.6

Compare Source

Various fixes & improvements

v1.40.5

Compare Source

Various fixes & improvements

v1.40.4

Compare Source

Various fixes & improvements

v1.40.3

Compare Source

Various fixes & improvements

v1.40.2

Compare Source

Various fixes & improvements

v1.40.1

Compare Source

Various fixes & improvements

v1.40.0

Compare Source

Various fixes & improvements

v1.39.2

Compare Source

Various fixes & improvements


Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR was generated by Mend Renovate. View the repository job log.