fix(httpx2): Gate url.full, url.query on send_default_pii#6670
Conversation
url.full and url.query can contain sensitive data (query strings, credentials in URLs). Gate these attributes behind send_default_pii to match the behavior of the aiohttp and wsgi integrations. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![sentry-warden[bot]](https://avatars.githubusercontent.com/in/2755838?s=60&v=4){kind=small}
| @@ -73,7 +74,7 @@ def send(self: "Client", request: "Request", **kwargs: "Any") -> "Response": | |||
| ) as streamed_span: | |||
There was a problem hiding this comment.
PII gate not applied to default non-streaming path — URL, query, and fragment still exposed
The should_send_default_pii() guard added in this PR only protects the experimental span-streaming path (is_span_streaming_enabled). The non-streaming else branch — which is the DEFAULT code path since streaming requires opting in via _experiments.trace_lifecycle == "stream" — still calls span.set_data("url", parsed_url.url), span.set_data(SPANDATA.HTTP_QUERY, parsed_url.query), and span.set_data(SPANDATA.HTTP_FRAGMENT, parsed_url.fragment) gated only on parsed_url is not None. As a result, query parameters and credentials embedded in URLs are still recorded in spans for most users even when send_default_pii=False, so the PR does not achieve its stated goal on the default path. The same gap exists in both _install_httpx2_client and _install_httpx2_async_client.
Evidence
has_span_streaming_enabledintracing_utils.pyreturns true only when_experiments.trace_lifecycle == "stream", so theelse(non-streaming) branch is the default path for most users.- In
_install_httpx2_client'selsebranch (httpx2.py:122-126)span.set_data("url", ...),span.set_data(SPANDATA.HTTP_QUERY, ...), andspan.set_data(SPANDATA.HTTP_FRAGMENT, ...)are gated only onparsed_url is not None, with noshould_send_default_pii()check. - The streaming branch above (httpx2.py:77) does add the
should_send_default_pii()guard, confirming the gate was applied to only one of the two paths. _install_httpx2_async_client'selsebranch (httpx2.py:232-235) repeats the same ungatedset_datacalls.
Identified by Warden code-review · PJJ-2ZL
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| ) as streamed_span: | ||
| attributes: "Attributes" = {} | ||
|
|
||
| if parsed_url is not None: | ||
| if parsed_url is not None and should_send_default_pii(): | ||
| attributes["url.full"] = parsed_url.url | ||
| if parsed_url.query: | ||
| attributes["url.query"] = parsed_url.query |
There was a problem hiding this comment.
Bug: The non-streaming path for httpx2 requests unconditionally adds URL data to spans, ignoring the send_default_pii setting.
Severity: MEDIUM
Suggested Fix
Wrap the span.set_data calls for URL and query parameters in the non-streaming paths (both sync and async) with a if should_send_default_pii(): check. This will ensure consistent PII handling across both streaming and non-streaming modes.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: sentry_sdk/integrations/httpx2.py#L74-L80
Potential issue: The change to gate URL data behind `should_send_default_pii()` was only
applied to the streaming span path in the `httpx2` integration. The non-streaming path,
for both synchronous and asynchronous requests, still unconditionally sets
`span.set_data("url", ...)` and `span.set_data(SPANDATA.HTTP_QUERY, ...)` without
checking the PII setting. This means that even if a user configures
`send_default_pii=False` to prevent sending sensitive information like query parameters,
this data will still be sent for non-streaming `httpx` requests, leading to a potential
PII leak.
Also affects:
sentry_sdk/integrations/httpx2.py:184~190
Did we get this right? 👍 / 👎 to inform future reviews.
Codecov Results 📊✅ 89935 passed | ⏭️ 6240 skipped | Total: 96175 | Pass Rate: 93.51% | Execution Time: 318m 47s 📊 Comparison with Base Branch
All tests are passing successfully. ✅ Patch coverage is 100.00%. Project has 2396 uncovered lines. Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 89.93% 89.93% —%
==========================================
Files 192 192 —
Lines 23784 23785 +1
Branches 8210 8210 —
==========================================
+ Hits 21389 21389 —
- Misses 2395 2396 +1
- Partials 1342 1341 -1Generated by Codecov Action |
2 participants
url.fullandurl.querycan contain sensitive data such as query parameters or credentials embedded in URLs. This gates both attributes behindsend_default_piiin the httpx2 integration, matching the behavior already in place for aiohttp and wsgi.Fixes PY-2559
Fixes #6669