Skip to content

Python 3.11.4 (and maybe others) break sentry-sdk's URL parsing that contains filtered elements #2160

New issue
New issue
Closed
Bug
#2161
Closed
Python 3.11.4 (and maybe others) break sentry-sdk's URL parsing that contains filtered elements#2160
Bug
#2161
Assignees
sentrivana
@hynek

Description

@hynek
hynek
opened on Jun 7, 2023

How do you use Sentry?

Sentry Saas (sentry.io)

Version

1.25.0 but tried older too

Steps to Reproduce

It looks like the recent security fixes to Python url parsing module broke sentry_sdk.utils.parse_url() which leads to baffling tracebacks e.g. when using the httpx integration & tracing.

Internally sentry_sdk.utils.parse_url() uses a call urllib.parse.spliturl(url) and as of 3.11.4, that explodes when that url includes [Filtered].

I would expect this to be true for all Python versions that got a security update yesterday (3.10.12, 3.9.17, 3.8.17, 3.7.17, and 3.12.0 beta 2), but I have to run now, so I can't verify it.

Expected Result

sentry-sdk not exploding in baffling ways.

To be clear: this is kinda a big deal, because if I deploy an app that uses httpx and sentry on Python 3.11.4 (that's already in deadsnakes), the app will explode the first time it makes an http request.

Actual Result

3.11.3 works:

Python 3.11.3 (main, May 23 2023, 08:45:42) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.parse import urlsplit; urlsplit("https://[Filtered]:[Filtered]@example.com/")
SplitResult(scheme='https', netloc='[Filtered]:[Filtered]@example.com', path='/', query='', fragment='')
>>>

3.11.4 breaks:

Python 3.11.4 (v3.11.4:d2340ef257, Jun  6 2023, 19:15:51) [Clang 13.0.0 (clang-1300.0.29.30)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.parse import urlsplit; urlsplit("https://[Filtered]:[Filtered]@example.com/")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/urllib/parse.py", line 500, in urlsplit
    _check_bracketed_host(bracketed_host)
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/urllib/parse.py", line 446, in _check_bracketed_host
    ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/ipaddress.py", line 54, in ip_address
    raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address')
ValueError: 'Filtered' does not appear to be an IPv4 or IPv6 address

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Bug

Projects

GitHub Issues with 👀

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions