Bump sentry-sdk to 2.8.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
sentry-sdk (changelog)	==2.0.1 → ==2.8.0

---

Sentry's Python SDK unintentionally exposes environment variables to subprocesses

CVE-2024-40647 / GHSA-g92j-qhmh-64v2

More information

Details

Impact

The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.

Details

In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:

>>> subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'

If you'd want to not pass any variables, you can set an empty dict:

>>> subprocess.check_output(["env"], env={})
b''

However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.

Patches

The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:

1. In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.

OR

2. Disable Stdlib integration:

import sentry_sdk

##### Should go before sentry_sdk.init
sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")

sentry_sdk.init(...)

References

• Sentry docs: Default integrations
• Python docs: subprocess module
• Patch https://github.com/getsentry/sentry-python/pull/3251

Severity

• CVSS Score: 1.8 / 10 (Low)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

References

• https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2
• https://github.com/getsentry/sentry-python/pull/3251
• https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
• https://docs.python.org/3/library/subprocess.html
• https://docs.sentry.io/platforms/python/integrations/default-integrations
• https://docs.sentry.io/platforms/python/integrations/default-integrations/#stdlib
• https://github.com/getsentry/sentry-python/releases/tag/2.8.0
• https://nvd.nist.gov/vuln/detail/CVE-2024-40647
• https://github.com/getsentry/sentry-python/releases/tag/1.45.1
• https://github.com/advisories/GHSA-g92j-qhmh-64v2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

getsentry/sentry-python (sentry-sdk)

v2.8.0

Compare Source

Various fixes & improvements

• profiler_id uses underscore (#​3249) by @​Zylphrex
• Don't send full env to subprocess (#​3251) by @​kmichel-aiven
• Stop using Hub in HttpTransport (#​3247) by @​szokeasaurusrex
• Remove ipdb from test requirements (#​3237) by @​rominf
• Avoid propagation of empty baggage (#​2968) by @​hartungstenio
• Add entry point for SentryPropagator (#​3086) by @​mender
• Bump checkouts/data-schemas from 8c13457 to 88273a9 (#​3225) by @​dependabot

v2.7.1

Compare Source

Various fixes & improvements

• fix(otel): Fix missing baggage (#​3218) by @​sentrivana
• This is the config file of asdf-vm which we do not use. (#​3215) by @​antonpirker
• Added option to disable middleware spans in Starlette (#​3052) by @​antonpirker
• build: Update tornado version in setup.py to match code check. (#​3206) by @​aclemons

v2.7.0

Compare Source

• Add origin to spans and transactions (#​3133) by @​antonpirker
• OTel: Set up typing for OTel (#​3168) by @​sentrivana
• OTel: Auto instrumentation skeleton (#​3143) by @​sentrivana
• OpenAI: If there is an internal error, still return a value (#​3192) by @​colin-sentry
• MongoDB: Add MongoDB collection span tag (#​3182) by @​0Calories
• MongoDB: Change span operation from db.query to db (#​3186) by @​0Calories
• MongoDB: Remove redundant command name in query description (#​3189) by @​0Calories
• Apache Spark: Fix spark driver integration (#​3162) by @​seyoon-lim
• Apache Spark: Add Spark test suite to tox.ini and to CI (#​3199) by @​sentrivana
• Codecov: Add failed test commits in PRs (#​3190) by @​antonpirker
• Update library, Python versions in tests (#​3202) by @​sentrivana
• Remove Hub from our test suite (#​3197) by @​antonpirker
• Use env vars for default CA cert bundle location (#​3160) by @​DragoonAethis
• Create a separate test group for AI (#​3198) by @​sentrivana
• Add additional stub packages for type checking (#​3122) by @​Daverball
• Proper naming of requirements files (#​3191) by @​antonpirker
• Pinning pip because new version does not work with some versions of Celery and Httpx (#​3195) by @​antonpirker
• build(deps): bump supercharge/redis-github-action from 1.7.0 to 1.8.0 (#​3193) by @​dependabot
• build(deps): bump actions/checkout from 4.1.6 to 4.1.7 (#​3171) by @​dependabot
• build(deps): update pytest-asyncio requirement (#​3087) by @​dependabot

v2.6.0

Compare Source

• Introduce continuous profiling mode (#​2830) by @​Zylphrex
• Profiling: Add deprecation comment for profiler internals (#​3167) by @​sentrivana
• Profiling: Move thread data to trace context (#​3157) by @​Zylphrex
• Explicitly export cron symbols for typecheckers (#​3072) by @​spladug
• Cleaning up ASGI tests for Django (#​3180) by @​antonpirker
• Celery: Add Celery receive latency (#​3174) by @​antonpirker
• Metrics: Update type hints for tag values (#​3156) by @​elramen
• Django: Fix psycopg3 reconnect error (#​3111) by @​szokeasaurusrex
• Tracing: Keep original function signature when decorated (#​3178) by @​sentrivana
• Reapply "Refactor the Celery Beat integration (#​3105)" (#​3144) (#​3175) by @​antonpirker
• Added contributor image to readme (#​3183) by @​antonpirker
• bump actions/checkout from 4.1.4 to 4.1.6 (#​3147) by @​dependabot
• bump checkouts/data-schemas from 59f9683 to 8c13457 (#​3146) by @​dependabot

v2.5.1

Compare Source

This change fixes a regression in our cron monitoring feature, which caused cron checkins not to be sent. The regression appears to have been introduced in version 2.4.0.

We recommend that all users, who use Cron monitoring and are currently running sentry-python ≥2.4.0, upgrade to this release as soon as possible!

Other fixes & improvements

• feat(tracing): Warn if not-started transaction entered (#​3003) by @​szokeasaurusrex
• test(scope): Ensure last_event_id cleared (#​3124) by @​szokeasaurusrex
• fix(scope): Clear last_event_id on scope clear (#​3124) by @​szokeasaurusrex

v2.5.0

Compare Source

Various fixes & improvements

• Allow to configure status codes to report to Sentry in Starlette and FastAPI (#​3008) by @​sentrivana

  By passing a new option to the FastAPI and Starlette integrations, you're now able to configure what
  status codes should be sent as events to Sentry. Here's how it works:

  from sentry_sdk.integrations.starlette import StarletteIntegration
  from sentry_sdk.integrations.fastapi import FastApiIntegration
  
  sentry_sdk.init(
      # ...
      integrations=[
          StarletteIntegration(
              failed_request_status_codes=[403, range(500, 599)],
          ),
          FastApiIntegration(
              failed_request_status_codes=[403, range(500, 599)],
          ),
      ]
  )

  failed_request_status_codes expects a list of integers or containers (objects that allow membership checks via in)
  of integers. Examples of valid failed_request_status_codes:

  • [500] will only send events on HTTP 500.
  • [400, range(500, 599)] will send events on HTTP 400 as well as the 500-599 range.
  • [500, 503] will send events on HTTP 500 and 503.

  The default is [range(500, 599)].

  See the FastAPI and Starlette integration docs for more details.

• Support multiple keys with cache_prefixes (#​3136) by @​sentrivana

• Support integer Redis keys (#​3132) by @​sentrivana

• Update SDK version in CONTRIBUTING.md (#​3129) by @​sentrivana

• Bump actions/checkout from 4.1.4 to 4.1.5 (#​3067) by @​dependabot

v2.4.0

Compare Source

Various fixes & improvements

• Celery: Made cache.key span data field a list (#​3110) by @​antonpirker
• Celery Beat: Refactor the Celery Beat integration (#​3105) by @​antonpirker
• GRPC: Add None check for grpc.aio interceptor (#​3109) by @​ordinary-jamie
• Docs: Remove last_event_id from migration guide (#​3126) by @​szokeasaurusrex
• fix(django): Proper transaction names for i18n routes (#​3104) by @​sentrivana
• fix(scope): Copy _last_event_id in Scope.__copy__ (#​3123) by @​szokeasaurusrex
• fix(tests): Adapt to new Anthropic version (#​3119) by @​sentrivana
• build(deps): bump checkouts/data-schemas from 4381a97 to 59f9683 (#​3066) by @​dependabot

v2.3.1

Compare Source

Various fixes & improvements

• Handle also byte arras as strings in Redis caches (#​3101) by @​antonpirker
• Do not crash exceptiongroup (by patching excepthook and keeping the name of the function) (#​3099) by @​antonpirker

v2.3.0

Compare Source

Various fixes & improvements

• NEW: Redis integration supports now Sentry Caches module. See https://docs.sentry.io/product/performance/caches/ (#​3073) by @​antonpirker
• NEW: Django integration supports now Sentry Caches module. See https://docs.sentry.io/product/performance/caches/ (#​3009) by @​antonpirker
• Fix cohere testsuite for new release of cohere (#​3098) by @​antonpirker
• Fix ClickHouse integration where _sentry_span might be missing (#​3096) by @​sentrivana

v2.2.1

Compare Source

Various fixes & improvements

• Add conditional check for delivery_info's existence (#​3083) by @​cmanallen
• Updated deps for latest langchain version (#​3092) by @​antonpirker
• Fixed grpcio extras to work as described in the docs (#​3081) by @​antonpirker
• Use pythons venv instead of virtualenv to create virtual envs (#​3077) by @​antonpirker
• Celery: Add comment about kwargs_headers (#​3079) by @​szokeasaurusrex
• Celery: Queues module producer implementation (#​3079) by @​szokeasaurusrex
• Fix N803 flake8 failures (#​3082) by @​szokeasaurusrex

v2.2.0

Compare Source

New features

• Celery integration now sends additional data to Sentry to enable new features to guage the health of your queues
• Added a new integration for Cohere
• Reintroduced the last_event_id function, which had been removed in 2.0.0

Other fixes & improvements

• Add tags + data passing functionality to @​ai_track (#​3071) by @​colin-sentry
• Only propagate headers from spans within transactions (#​3070) by @​szokeasaurusrex
• Improve type hints for set metrics (#​3048) by @​elramen
• Fix get_client typing (#​3063) by @​szokeasaurusrex
• Auto-enable Anthropic integration + gate imports (#​3054) by @​colin-sentry
• Made MeasurementValue.unit NotRequired (#​3051) by @​antonpirker

v2.1.1

Compare Source

• Fix trace propagation in Celery tasks started by Celery Beat. (#​3047) by @​antonpirker

v2.1.0

Compare Source

• fix(quart): Fix Quart integration (#​3043) by @​szokeasaurusrex

• New integration: Langchain (#​2911) by @​colin-sentry

  Usage: (Langchain is auto enabling, so you do not need to do anything special)

  from langchain_openai import ChatOpenAI
  import sentry_sdk
  
  sentry_sdk.init(
      dsn="...",
      enable_tracing=True,
      traces_sample_rate=1.0,
  )
  
  llm = ChatOpenAI(model="gpt-3.5-turbo-0125", temperature=0)

  Check out the LangChain docs for details.

• New integration: Anthropic (#​2831) by @​czyber

  Usage: (add the AnthropicIntegration to your sentry_sdk.init() call)

  from anthropic import Anthropic
  
  import sentry_sdk
  
  sentry_sdk.init(
      dsn="...",
      enable_tracing=True,
      traces_sample_rate=1.0,
      integrations=[AnthropicIntegration()],
  )
  
  client = Anthropic()

  Check out the Anthropic docs for details.

• New integration: Huggingface Hub (#​3033) by @​colin-sentry

  Usage: (Huggingface Hub is auto enabling, so you do not need to do anything special)

  import sentry_sdk
  from huggingface_hub import InferenceClient
  
  sentry_sdk.init(
      dsn="...",
      enable_tracing=True,
      traces_sample_rate=1.0,
  )
  
  client = InferenceClient("some-model")

  Check out the Huggingface docs for details. (comming soon!)

• fix(huggingface): Reduce API cross-section for huggingface in test (#​3042) by @​colin-sentry

• fix(django): Fix Django ASGI integration on Python 3.12 (#​3027) by @​bellini666

• feat(perf): Add ability to put measurements directly on spans. (#​2967) by @​colin-sentry

• fix(tests): Fix trytond tests (#​3031) by @​sentrivana

• fix(tests): Update pytest-asyncio to fix CI (#​3030) by @​sentrivana

• fix(docs): Link to respective migration guides directly (#​3020) by @​sentrivana

• docs(scope): Add docstring to Scope.set_tags (#​2978) by @​szokeasaurusrex

• test(scope): Fix typos in assert error message (#​2978) by @​szokeasaurusrex

• feat(scope): New set_tags function (#​2978) by @​szokeasaurusrex

• test(scope): Add unit test for Scope.set_tags (#​2978) by @​szokeasaurusrex

• feat(scope): Add set_tags to top-level API (#​2978) by @​szokeasaurusrex

• test(scope): Add unit test for top-level API set_tags (#​2978) by @​szokeasaurusrex

• feat(tests): Parallelize tox (#​3025) by @​sentrivana

• build(deps): Bump checkouts/data-schemas from 4aa14a7 to 4381a97 (#​3028) by @​dependabot

• meta(license): Bump copyright year (#​3029) by @​szokeasaurusrex

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.