Skip to content

fix(starlette): Stop duplicating scope["root_path"] in URLs#6579

Merged
alexander-alderman-webb merged 22 commits into
masterfrom
webb/asgi/double-mount-prefix
Jun 26, 2026
Merged

fix(starlette): Stop duplicating scope["root_path"] in URLs#6579
alexander-alderman-webb merged 22 commits into
masterfrom
webb/asgi/double-mount-prefix

remanining tests

a58e42d
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden completed Jun 19, 2026 in 0s

3 issues

Medium

Mount-based test_request_url tests can't detect the root_path duplication bug they target - `tests/integrations/starlette/test_starlette.py:1500-1525`

The starlette test_request_url (and the identical fastapi test_request_url at tests/integrations/fastapi/test_fastapi.py:1051, which is part of this PR) construct TestClient(app) without root_path="/root" and rely on a Mount("/root", app=mounted_app) to reach /root/nomessage. Because SentryAsgiMiddleware._run_app skips the inner mounted invocation via _asgi_middleware_applied, the scope used for URL construction is always the outer one where root_path="". With root_path="", _get_url produces "" + "/root/nomessage" == "/root/nomessage" under both path_includes_root_path=True and False, so these tests pass whether or not the fix is present and cannot detect the duplication regression. The litestar/starlite/quart tests reproduce the bug correctly by passing root_path="/root" to TestClient (no Mount). Consider aligning the starlette/fastapi tests with that pattern (e.g. drop the Mount and use TestClient(app, root_path="/root") requesting /nomessage) so they exercise a non-empty outer root_path.

Also found at:

  • sentry_sdk/integrations/asgi.py:117
test_request_url missing send_default_pii=True makes span_streaming branch KeyError on url.full - `tests/integrations/starlite/test_starlite.py:586-592`

Add send_default_pii=True to sentry_init here. _get_request_attributes in _asgi_common.py only sets url.full inside if should_send_default_pii():, so for span_streaming=True the server span attributes will not contain url.full. The assertion server_span["attributes"]["url.full"] will then raise a KeyError rather than meaningfully validating the URL. The equivalent Starlette test (test_starlette.py:1491) correctly sets send_default_pii=True.

`url.full` assertion fails without `send_default_pii=True` - `tests/integrations/litestar/test_litestar.py:854-856`

The span_streaming=True branch asserts server_span["attributes"]["url.full"], but _get_request_attributes only sets url.full when should_send_default_pii() is True. Without send_default_pii=True in sentry_init, this will always raise a KeyError.

Also found at:

  • tests/integrations/starlite/test_starlite.py:586-592
4 skills analyzed
Skill Findings Duration Cost
security-review 0 12.3s $0.22
code-review 2 10m 53s $5.08
find-bugs 1 22m 52s $6.93
skill-scanner 0 15m 11s $0.12

⏱ 49m 8s · 9.4M in / 346.9k out · $12.36