fix(starlette): Stop duplicating scope["root_path"] in URLs#6579
3 issues
Medium
Mount-based test_request_url tests can't detect the root_path duplication bug they target - `tests/integrations/starlette/test_starlette.py:1500-1525`
The starlette test_request_url (and the identical fastapi test_request_url at tests/integrations/fastapi/test_fastapi.py:1051, which is part of this PR) construct TestClient(app) without root_path="/root" and rely on a Mount("/root", app=mounted_app) to reach /root/nomessage. Because SentryAsgiMiddleware._run_app skips the inner mounted invocation via _asgi_middleware_applied, the scope used for URL construction is always the outer one where root_path="". With root_path="", _get_url produces "" + "/root/nomessage" == "/root/nomessage" under both path_includes_root_path=True and False, so these tests pass whether or not the fix is present and cannot detect the duplication regression. The litestar/starlite/quart tests reproduce the bug correctly by passing root_path="/root" to TestClient (no Mount). Consider aligning the starlette/fastapi tests with that pattern (e.g. drop the Mount and use TestClient(app, root_path="/root") requesting /nomessage) so they exercise a non-empty outer root_path.
Also found at:
sentry_sdk/integrations/asgi.py:117
test_request_url missing send_default_pii=True makes span_streaming branch KeyError on url.full - `tests/integrations/starlite/test_starlite.py:586-592`
Add send_default_pii=True to sentry_init here. _get_request_attributes in _asgi_common.py only sets url.full inside if should_send_default_pii():, so for span_streaming=True the server span attributes will not contain url.full. The assertion server_span["attributes"]["url.full"] will then raise a KeyError rather than meaningfully validating the URL. The equivalent Starlette test (test_starlette.py:1491) correctly sets send_default_pii=True.
`url.full` assertion fails without `send_default_pii=True` - `tests/integrations/litestar/test_litestar.py:854-856`
The span_streaming=True branch asserts server_span["attributes"]["url.full"], but _get_request_attributes only sets url.full when should_send_default_pii() is True. Without send_default_pii=True in sentry_init, this will always raise a KeyError.
Also found at:
tests/integrations/starlite/test_starlite.py:586-592
4 skills analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| security-review | 0 | 12.3s | $0.22 |
| code-review | 2 | 10m 53s | $5.08 |
| find-bugs | 1 | 22m 52s | $6.93 |
| skill-scanner | 0 | 15m 11s | $0.12 |
⏱ 49m 8s · 9.4M in / 346.9k out · $12.36