Fix github login state validation sql injection

[cursor]

Hardens OAuth callback handling to prevent logging and surfacing unvalidated, potentially malicious state, code, and provider error parameters.

This change introduces sanitization helpers that:

1. Hash sensitive OAuth parameters (state, code) for logging, providing metadata (e.g., length, format match) instead of raw values.
2. Whitelist characters for provider error messages, redacting unsafe inputs to prevent log injection.

This ensures that even when an attacker injects payloads into OAuth callback parameters, they are not logged verbatim or displayed to the user, enhancing security without losing debugging context.

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

---

 

[codecov]

❌ 3 Tests Failed:

Tests completed	Failed	Passed	Skipped
29872	3	29869	244

View the top 3 failed test(s) by shortest run time

tests.sentry.identity.test_oauth2.OAuth2CallbackViewTest::test_provider_error_is_redacted_when_invalid

Stack Traces | 0.044s run time

#x1B[1m#x1B[.../sentry/identity/test_oauth2.py#x1B[0m:213: in test_provider_error_is_redacted_when_invalid
    _, message = mock_error.call_args.args
#x1B[1m#x1B[31mE   ValueError: not enough values to unpack (expected 2, got 1)#x1B[0m

tests.sentry.identity.test_oauth2.OAuth2CallbackViewTest::test_state_mismatch_sanitizes_logged_value

Stack Traces | 0.047s run time

#x1B[1m#x1B[.../sentry/identity/test_oauth2.py#x1B[0m:169: in test_state_mismatch_sanitizes_logged_value
    pipeline.bind_state("state", "59bd69f591011a0cb6b64e0c0d271731")
#x1B[1m#x1B[.../sentry/pipeline/base.py#x1B[0m:229: in bind_state
    data = self.state.data or {}
#x1B[1m#x1B[.../sentry/utils/session_store.py#x1B[0m:119: in getter
    state = store.get_state()
#x1B[1m#x1B[.../sentry/utils/session_store.py#x1B[0m:101: in get_state
    if not self.redis_key:
#x1B[1m#x1B[.../sentry/utils/session_store.py#x1B[0m:69: in redis_key
    return self.request.session.get(self.session_key)
#x1B[1m#x1B[31mE   AttributeError: 'WSGIRequest' object has no attribute 'session'#x1B[0m

tests.sentry.identity.test_oauth2.OAuth2CallbackViewTest::test_provider_error_keeps_safe_message

Stack Traces | 0.068s run time

#x1B[1m#x1B[.../sentry/identity/test_oauth2.py#x1B[0m:240: in test_provider_error_keeps_safe_message
    _, message = mock_error.call_args.args
#x1B[1m#x1B[31mE   ValueError: not enough values to unpack (expected 2, got 1)#x1B[0m

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}