Update dependency sentry-sdk to ^1.45.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
sentry-sdk (changelog)	^2.0.0 → ^1.45.0

---

Sentry's Python SDK unintentionally exposes environment variables to subprocesses

CVE-2024-40647 / GHSA-g92j-qhmh-64v2

More information

Details

Impact

The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.

Details

In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:

>>> subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'

If you'd want to not pass any variables, you can set an empty dict:

>>> subprocess.check_output(["env"], env={})
b''

However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.

Patches

The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:

1. In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.

OR

2. Disable Stdlib integration:

import sentry_sdk

##### Should go before sentry_sdk.init
sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")

sentry_sdk.init(...)

References

• Sentry docs: Default integrations
• Python docs: subprocess module
• Patch https://github.com/getsentry/sentry-python/pull/3251

Severity

• CVSS Score: 1.8 / 10 (Low)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

References

• https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2
• https://github.com/getsentry/sentry-python/pull/3251
• https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
• https://docs.python.org/3/library/subprocess.html
• https://docs.sentry.io/platforms/python/integrations/default-integrations
• https://docs.sentry.io/platforms/python/integrations/default-integrations/#stdlib
• https://github.com/getsentry/sentry-python/releases/tag/2.8.0
• https://nvd.nist.gov/vuln/detail/CVE-2024-40647
• https://github.com/getsentry/sentry-python/releases/tag/1.45.1
• https://github.com/advisories/GHSA-g92j-qhmh-64v2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

getsentry/sentry-python (sentry-sdk)

v1.45.1

Compare Source

This is a security backport release.

• Don't send full env to subprocess (892dd80) by @​kmichel-aiven

  See also GHSA-g92j-qhmh-64v2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: api/poetry.lock

The --no-wheel and --wheel options are deprecated. They have no effect for Python > 3.8 as wheel is no longer bundled in virtualenv.
Updating dependencies
Resolving dependencies...
The --no-wheel and --wheel options are deprecated. They have no effect for Python > 3.8 as wheel is no longer bundled in virtualenv.

Creating virtualenv developer-connect-api-CGodQ25B-py3.14 in /home/ubuntu/.cache/pypoetry/virtualenvs

Because auth-api (0.0.0) @ git+https://github.com/bcgov/sbc-auth.git@c286045eb2cf9761cd57b59aa4c6e7b3146ea36c#subdirectory=auth-api depends on launchdarkly-server-sdk (8.2.1)
 and developer-connect-api depends on launchdarkly-server-sdk (^8.3.0), auth-api is forbidden.
So, because developer-connect-api depends on auth-api (0.0.0) @ git+https://github.com/bcgov/sbc-auth.git@c286045eb2cf9761cd57b59aa4c6e7b3146ea36c#subdirectory=auth-api, version solving failed.