ref(argv): Update integration #6155
1 issue
security-review: Found 1 issue (1 high)
High
PII gate is a no-op: should_send_default_pii is referenced, not called - `sentry_sdk/integrations/argv.py:26`
should_send_default_pii is a function (defined in sentry_sdk/scope.py:2136), but the new condition isinstance(extra, dict) and should_send_default_pii checks the function object's truthiness rather than calling it. Function objects are always truthy, so the guard always passes and sys.argv is attached to every event regardless of the client's send_default_pii setting. Since sys.argv frequently contains secrets (API tokens, DB URLs, passwords passed via CLI flags), this leaks PII/credentials to Sentry for users who explicitly opted out.
Duration: 21.5s · Tokens: 31.3k in / 1.2k out · Cost: $0.17
Annotations
Check failure on line 26 in sentry_sdk/integrations/argv.py
sentry-warden / warden: security-review
PII gate is a no-op: should_send_default_pii is referenced, not called
`should_send_default_pii` is a function (defined in `sentry_sdk/scope.py:2136`), but the new condition `isinstance(extra, dict) and should_send_default_pii` checks the function object's truthiness rather than calling it. Function objects are always truthy, so the guard always passes and `sys.argv` is attached to every event regardless of the client's `send_default_pii` setting. Since `sys.argv` frequently contains secrets (API tokens, DB URLs, passwords passed via CLI flags), this leaks PII/credentials to Sentry for users who explicitly opted out.