Python 3.11.4 (and maybe others) break sentry-sdk's URL parsing that contains filtered elements

[hynek]

How do you use Sentry?

Sentry Saas (sentry.io)

Version

1.25.0 but tried older too

Steps to Reproduce

It looks like the recent security fixes to Python url parsing module broke sentry_sdk.utils.parse_url() which leads to baffling tracebacks e.g. when using the httpx integration & tracing.

Internally sentry_sdk.utils.parse_url() uses a call urllib.parse.spliturl(url) and as of 3.11.4, that explodes when that url includes [Filtered].

I would expect this to be true for all Python versions that got a security update yesterday (3.10.12, 3.9.17, 3.8.17, 3.7.17, and 3.12.0 beta 2), but I have to run now, so I can't verify it.

Expected Result

sentry-sdk not exploding in baffling ways.

To be clear: this is kinda a big deal, because if I deploy an app that uses httpx and sentry on Python 3.11.4 (that's already in deadsnakes), the app will explode the first time it makes an http request.

Actual Result

3.11.3 works:

Python 3.11.3 (main, May 23 2023, 08:45:42) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.parse import urlsplit; urlsplit("https://[Filtered]:[Filtered]@example.com/")
SplitResult(scheme='https', netloc='[Filtered]:[Filtered]@example.com', path='/', query='', fragment='')
>>>

3.11.4 breaks:

Python 3.11.4 (v3.11.4:d2340ef257, Jun  6 2023, 19:15:51) [Clang 13.0.0 (clang-1300.0.29.30)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.parse import urlsplit; urlsplit("https://[Filtered]:[Filtered]@example.com/")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/urllib/parse.py", line 500, in urlsplit
    _check_bracketed_host(bracketed_host)
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/urllib/parse.py", line 446, in _check_bracketed_host
    ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/ipaddress.py", line 54, in ip_address
    raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address')
ValueError: 'Filtered' does not appear to be an IPv4 or IPv6 address

[sentrivana]

Thanks @hynek, we'll look at this right away.

[hynek]

I suppose the quick fix would be changing

sentry-python/sentry_sdk/utils.py

Line 81 in 8a6c19c

SENSITIVE_DATA_SUBSTITUTE = "[Filtered]"

to something that is a valid user / password.

[antonpirker]

Fix released: https://github.com/getsentry/sentry-python/releases/tag/1.25.1