Skip to content

fix(wsgi): Gate url.full, url.path, and http.query behind send_default_pii #6654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ericapisani merged 2 commits into from
Jun 25, 2026
+29 −10
Merged

fix(wsgi): Gate url.full, url.path, and http.query behind send_default_pii #6654

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bd7de91
fix(wsgi): Gate url.full, url.path, and http.query behind send_defaul…
ericapisani Jun 24, 2026
6273bbd
Merge branch 'master' into py-2552-wsgi-url-attr
ericapisani Jun 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 10 additions & 6 deletions sentry_sdk/integrations/wsgi.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,12 +394,6 @@ def _get_request_attributes(
for header, value in headers.items():
attributes[f"http.request.header.{header.lower()}"] = value

query_string = environ.get("QUERY_STRING")
if query_string:
attributes["http.query"] = query_string

attributes["url.full"] = get_request_url(environ, use_x_forwarded_for)

url_scheme = environ.get("wsgi.url_scheme")
if url_scheme:
attributes["network.protocol.name"] = url_scheme
Expand All @@ -420,4 +414,14 @@ def _get_request_attributes(
if client_ip:
attributes["client.address"] = client_ip

query_string = environ.get("QUERY_STRING")
if query_string:
attributes["http.query"] = query_string

path = environ.get("PATH_INFO", "")
if path:
attributes["url.path"] = path

attributes["url.full"] = get_request_url(environ, use_x_forwarded_for)

@cursor cursor Bot Jun 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

url.path omits SCRIPT_NAME prefix

Medium Severity

When send_default_pii is enabled, url.path is taken from PATH_INFO only, while url.full is built with get_request_url, which merges SCRIPT_NAME and PATH_INFO. Mounted WSGI apps can therefore emit spans where url.path and url.full describe different paths.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 6273bbd. Configure here.


return attributes
23 changes: 19 additions & 4 deletions tests/integrations/wsgi/test_wsgi.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,20 +208,22 @@ def dogpark(environ, start_response):
assert envelope["request"] == error_event["request"]


@pytest.mark.parametrize("send_pii", [True, False])
@pytest.mark.parametrize("span_streaming", [True, False])
def test_transaction_no_error(
sentry_init,
capture_events,
capture_items,
DictionaryContaining, # noqa:N803
span_streaming,
send_pii,
):
def dogpark(environ, start_response):
start_response("200 OK", [])
return ["Go get the ball! Good dog!"]

sentry_init(
send_default_pii=True,
send_default_pii=send_pii,
traces_sample_rate=1.0,
_experiments={
"trace_lifecycle": "stream" if span_streaming else "static",
Expand All @@ -235,7 +237,7 @@ def dogpark(environ, start_response):
else:
events = capture_events()

client.get("/dogs/are/great/")
client.get("/dogs/are/great?toy=tennisball")

sentry_sdk.flush()

Expand All @@ -248,17 +250,30 @@ def dogpark(environ, start_response):
assert span["attributes"]["sentry.op"] == "http.server"
assert span["attributes"]["sentry.span.source"] == "route"
assert span["attributes"]["http.request.method"] == "GET"
assert span["attributes"]["url.full"] == "http://localhost/dogs/are/great/"
assert span["attributes"]["http.response.status_code"] == 200
assert span["status"] == "ok"

if send_pii:
assert span["attributes"]["url.full"] == "http://localhost/dogs/are/great"
assert span["attributes"]["url.path"] == "/dogs/are/great"
assert span["attributes"]["http.query"] == "toy=tennisball"
else:
assert "url.path" not in span["attributes"]
assert "url.full" not in span["attributes"]
assert "http.query" not in span["attributes"]

else:
envelope = events[0]

assert envelope["type"] == "transaction"
assert envelope["transaction"] == "generic WSGI request"
assert envelope["contexts"]["trace"]["op"] == "http.server"
assert envelope["request"] == DictionaryContaining(
{"method": "GET", "url": "http://localhost/dogs/are/great/"}
{
"method": "GET",
"url": "http://localhost/dogs/are/great",
"query_string": "toy=tennisball",
}
Comment on lines 266 to +276

@sentry sentry Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The WSGI integration leaks PII in non-streaming transaction events by unconditionally adding url and query_string, even when send_default_pii is False.
Severity: HIGH

Suggested Fix

In the _make_wsgi_event_processor function, wrap the assignments for request_info["url"] and request_info["query_string"] in a conditional check for should_send_default_pii(). This will ensure that PII is consistently redacted across both streaming and non-streaming code paths, respecting the user's setting.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: tests/integrations/wsgi/test_wsgi.py#L265-L276

Potential issue: The WSGI integration aims to prevent sending Personally Identifiable
Information (PII) when `send_default_pii` is `False`. While the change correctly redacts
PII for span attributes in the streaming path (`_get_request_attributes`), it fails to
do so for the non-streaming transaction event path. The `_make_wsgi_event_processor`
function unconditionally sets `request["url"]` and `request["query_string"]` on the
event. This results in an inconsistent behavior where users who set
`send_default_pii=False` will still have unredacted URLs and query strings sent in
transaction events if they are not using the span streaming path, leading to an
unintended PII leak.

Did we get this right? 👍 / 👎 to inform future reviews.

)


Expand Down
Loading