Skip to content

feat(flask): Add span streaming support and request body capture #6264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
ericapisani wants to merge 7 commits into
base: master
Choose a base branch
from
+591 −90

fix for unbounded consumption of request wtihout a content-header spe…

3b71c16
Select commit
Loading
Failed to load commit list.
Draft

feat(flask): Add span streaming support and request body capture #6264

fix for unbounded consumption of request wtihout a content-header spe…
3b71c16
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: security-review completed May 15, 2026 in 4m 8s

1 issue

security-review: Found 1 issue (1 medium)

Medium

Request body with sensitive fields bypasses EventScrubber when written to streamed span attributes - `sentry_sdk/integrations/_wsgi_common.py:212-220`

When span streaming is enabled, _serialize_request_body_data serializes the full parsed request body (including form fields like password, token, api_key) into a span attribute that is sent via _capture_telemetry — a path that never calls EventScrubber.scrub_event, so denylist-matched fields are transmitted to Sentry unredacted. Apply event_scrubber.scrub_dict to the parsed body dict before serializing it, or scrub the deserialized attribute after the fact.

Also found at:

  • sentry_sdk/integrations/flask.py:220-230
  • sentry_sdk/integrations/starlette.py:20

⏱ 3m 15s · 1.2M in / 30.0k out · $1.77

Annotations

Check warning on line 220 in sentry_sdk/integrations/_wsgi_common.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: security-review

Request body with sensitive fields bypasses EventScrubber when written to streamed span attributes 

When span streaming is enabled, `_serialize_request_body_data` serializes the full parsed request body (including form fields like `password`, `token`, `api_key`) into a span attribute that is sent via `_capture_telemetry` — a path that never calls `EventScrubber.scrub_event`, so denylist-matched fields are transmitted to Sentry unredacted. Apply `event_scrubber.scrub_dict` to the parsed body dict before serializing it, or scrub the deserialized attribute after the fact.

Check warning on line 230 in sentry_sdk/integrations/flask.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: security-review

[W3M-9D6] Request body with sensitive fields bypasses EventScrubber when written to streamed span attributes (additional location) 

When span streaming is enabled, `_serialize_request_body_data` serializes the full parsed request body (including form fields like `password`, `token`, `api_key`) into a span attribute that is sent via `_capture_telemetry` — a path that never calls `EventScrubber.scrub_event`, so denylist-matched fields are transmitted to Sentry unredacted. Apply `event_scrubber.scrub_dict` to the parsed body dict before serializing it, or scrub the deserialized attribute after the fact.

Check warning on line 20 in sentry_sdk/integrations/starlette.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: security-review

[W3M-9D6] Request body with sensitive fields bypasses EventScrubber when written to streamed span attributes (additional location) 

When span streaming is enabled, `_serialize_request_body_data` serializes the full parsed request body (including form fields like `password`, `token`, `api_key`) into a span attribute that is sent via `_capture_telemetry` — a path that never calls `EventScrubber.scrub_event`, so denylist-matched fields are transmitted to Sentry unredacted. Apply `event_scrubber.scrub_dict` to the parsed body dict before serializing it, or scrub the deserialized attribute after the fact.
View more details on @sentry/warden