Skip to content

Sanitize oauth state parameter in logging #103595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Sanitize oauth state parameter in logging #103595

wants to merge 1 commit into from
+48 −4

Conversation

@cursor
Copy link
Contributor

@cursor cursor bot commented Nov 19, 2025

Prevents logging of unfiltered user-supplied OAuth state parameters in failure metrics by sanitizing them to only include metadata (presence, length, and SHA-256 hash). This closes a potential information leak while maintaining debuggability for state mismatch errors.

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

Open in Cursor Open in Web

@cursoragent @jennmueng
Refactor: Sanitize state parameter in OAuth2 callback
e4d6e15 
Co-authored-by: jenn.muengtaweepongsa <jenn.muengtaweepongsa@sentry.io>
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Nov 19, 2025
@codecov
Copy link

codecov bot commented Nov 19, 2025
edited
Loading

❌ 1 Tests Failed:

Tests completed Failed Passed Skipped
29869 1 29868 245
View the top 1 failed test(s) by shortest run time 
tests.sentry.identity.test_oauth2.OAuth2CallbackViewTest::test_state_mismatch_logs_sanitized_values
Stack Traces | 0.072s run time 
#x1B[1m#x1B[.../sentry/identity/test_oauth2.py#x1B[0m:181: in test_state_mismatch_logs_sanitized_values
    self.view.dispatch(request, pipeline)
#x1B[1m#x1B[.../sentry/identity/oauth2.py#x1B[0m:387: in dispatch
    return pipeline.error(ERR_INVALID_STATE)
#x1B[1m#x1B[.../sentry/pipeline/base.py#x1B[0m:201: in error
    return render_to_response(
#x1B[1m#x1B[.../sentry/web/helpers.py#x1B[0m:42: in render_to_response
    response = HttpResponse(render_to_string(template, context, request))
#x1B[1m#x1B[.../sentry/web/helpers.py#x1B[0m:29: in render_to_string
    rendered = loader.render_to_string(template, context=context, request=request)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/loader.py#x1B[0m:62: in render_to_string
    return template.render(context, request)
#x1B[1m#x1B[31m.venv/lib/python3.13.../template/backends/django.py#x1B[0m:107: in render
    return self.template.render(context)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/base.py#x1B[0m:171: in render
    return self._render(context)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/test/utils.py#x1B[0m:114: in instrumented_test_render
    return self.nodelist.render(context)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/base.py#x1B[0m:1016: in render
    return SafeString("".join([node.render_annotated(context) for node in self]))
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/base.py#x1B[0m:977: in render_annotated
    return self.render(context)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/loader_tags.py#x1B[0m:159: in render
    return compiled_parent._render(context)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/test/utils.py#x1B[0m:114: in instrumented_test_render
    return self.nodelist.render(context)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/base.py#x1B[0m:1016: in render
    return SafeString("".join([node.render_annotated(context) for node in self]))
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/base.py#x1B[0m:977: in render_annotated
    return self.render(context)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/loader_tags.py#x1B[0m:159: in render
    return compiled_parent._render(context)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/test/utils.py#x1B[0m:114: in instrumented_test_render
    return self.nodelist.render(context)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/base.py#x1B[0m:1016: in render
    return SafeString("".join([node.render_annotated(context) for node in self]))
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/base.py#x1B[0m:977: in render_annotated
    return self.render(context)
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/template/library.py#x1B[0m:321: in render
    output = self.func(*resolved_args, **resolved_kwargs)
#x1B[1m#x1B[.../sentry/templatetags/sentry_helpers.py#x1B[0m:197: in get_sentry_version
    latest = options.get("sentry:latest_version") or current
#x1B[1m#x1B[.../sentry/options/manager.py#x1B[0m:312: in get
    result = self.store.get(opt, silent=silent)
#x1B[1m#x1B[.../sentry/options/store.py#x1B[0m:115: in get
    result = self.get_store(key, silent=silent)
#x1B[1m#x1B[.../sentry/options/store.py#x1B[0m:215: in get_store
    value = self.model.objects.get(key=key.name).value
#x1B[1m#x1B[31m.venv/lib/python3.13.../db/models/manager.py#x1B[0m:87: in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
#x1B[1m#x1B[31m.venv/lib/python3.13.../db/models/query.py#x1B[0m:631: in get
    num = len(clone)
#x1B[1m#x1B[31m.venv/lib/python3.13.../db/models/query.py#x1B[0m:368: in __len__
    self._fetch_all()
#x1B[1m#x1B[31m.venv/lib/python3.13.../db/models/query.py#x1B[0m:1954: in _fetch_all
    self._result_cache = list(self._iterable_class(self))
#x1B[1m#x1B[31m.venv/lib/python3.13.../db/models/query.py#x1B[0m:93: in __iter__
    results = compiler.execute_sql(
#x1B[1m#x1B[31m.venv/lib/python3.13.../models/sql/compiler.py#x1B[0m:1621: in execute_sql
    cursor = self.connection.cursor()
#x1B[1m#x1B[31m.venv/lib/python3.13.../django/utils/asyncio.py#x1B[0m:26: in inner
    return func(*args, **kwargs)
#x1B[1m#x1B[31m.venv/lib/python3.13.../backends/base/base.py#x1B[0m:320: in cursor
    return self._cursor()
#x1B[1m#x1B[.../db/postgres/decorators.py#x1B[0m:38: in inner
    return func(self, *args, **kwargs)
#x1B[1m#x1B[.../db/postgres/base.py#x1B[0m:114: in _cursor
    return super()._cursor()
#x1B[1m#x1B[31m.venv/lib/python3.13.../backends/base/base.py#x1B[0m:296: in _cursor
    self.ensure_connection()
#x1B[1m#x1B[31mE   RuntimeError: Database access not allowed, use the "django_db" mark, or the "db" or "transactional_db" fixtures to enable it.#x1B[0m

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cursoragent