Skip to content

fix(asgi): Gate query string and client IP behind send_default_pii #6501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ericapisani wants to merge 2 commits into
base: master
Choose a base branch
from
+18 −10

fix(asgi): Gate query string and client IP behind send_default_pii

666e6fb
Select commit
Loading
Failed to load commit list.
Open

fix(asgi): Gate query string and client IP behind send_default_pii #6501

fix(asgi): Gate query string and client IP behind send_default_pii
666e6fb
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: code-review completed Jun 4, 2026 in 1m 46s

2 issues

code-review: Found 2 issues (2 high)

High

`url.full` accidentally gated behind `should_send_default_pii()`, missing in default config - `sentry_sdk/integrations/_asgi_common.py:130`

url.full is not PII (it's the URL path, not the query string), but it's now inside the if should_send_default_pii(): block, so it will never be set when PII is disabled — breaking span URL attribution in the default configuration.

`NameError` when non-http/websocket ASGI scope is processed with PII enabled - `sentry_sdk/integrations/_asgi_common.py:133`

When asgi_scope['type'] is not 'http' or 'websocket' (e.g. 'lifespan') and should_send_default_pii() is True, headers is undefined at headers.get('host') because it is only assigned inside the if ty in ('http', 'websocket'): block.

⏱ 1m 21s · 95.2k in / 7.3k out · $0.42

Annotations

Check failure on line 130 in sentry_sdk/integrations/_asgi_common.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: code-review

`url.full` accidentally gated behind `should_send_default_pii()`, missing in default config 

`url.full` is not PII (it's the URL path, not the query string), but it's now inside the `if should_send_default_pii():` block, so it will never be set when PII is disabled — breaking span URL attribution in the default configuration.

Check failure on line 133 in sentry_sdk/integrations/_asgi_common.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: code-review

`NameError` when non-http/websocket ASGI scope is processed with PII enabled 

When `asgi_scope['type']` is not `'http'` or `'websocket'` (e.g. `'lifespan'`) and `should_send_default_pii()` is `True`, `headers` is undefined at `headers.get('host')` because it is only assigned inside the `if ty in ('http', 'websocket'):` block.
View more details on @sentry/warden