fix(asgi): Gate query string and client IP behind send_default_pii #6501
+18
−10
@sentry/warden / warden
completed
Jun 4, 2026 in 1m 39s
2 issues
High
`url.full` incorrectly gated behind `should_send_default_pii()`, suppressing it for all default users - `sentry_sdk/integrations/_asgi_common.py:124-131`
url.full is placed inside the should_send_default_pii() block alongside http.query, but _get_url() explicitly strips the query string (see its docstring: "without also including the querystring"), so the base URL is not PII and should always be captured. This causes url.full to be absent from all spans when PII is disabled, breaking standard OTel HTTP server span semantics for the majority of users.
Medium
`url.full` (URL without query string) incorrectly gated behind `should_send_default_pii()` - `sentry_sdk/integrations/_asgi_common.py:124-131`
url.full is the base URL path with no query string — _get_url() docstring says it builds the URL "without also including the querystring" — so gating it behind should_send_default_pii() silently drops the request URL from all ASGI traces when PII is disabled, breaking basic HTTP observability.
4 skills analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| security-review | 0 | 1m 15s | $0.18 |
| code-review | 1 | 35.0s | $0.21 |
| find-bugs | 1 | 46.6s | $0.24 |
| skill-scanner | 0 | 1.3s | $0.03 |
⏱ 2m 38s · 154.6k in / 11.7k out · $0.66
Loading