Skip to content

fix(starlette): Stop duplicating scope["root_path"] in URLs#6579

Merged
alexander-alderman-webb merged 22 commits into
masterfrom
webb/asgi/double-mount-prefix
Jun 26, 2026
Merged

fix(starlette): Stop duplicating scope["root_path"] in URLs#6579
alexander-alderman-webb merged 22 commits into
masterfrom
webb/asgi/double-mount-prefix

remove default arguments

557c418
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden completed Jun 26, 2026 in 0s

3 issues

Medium

No tests covering the new `root_path_in_path` behavior in any of the changed test files

The PR description states tests were added for root_path handling in each ASGI integration, but none of the changed test files (test_asgi.py, test_fastapi.py, test_starlette.py) contain any tests exercising root_path or the EITHER/EXCLUDED enum paths. Have you considered adding at least one test that sets root_path in the ASGI scope and asserts the resulting URL is not duplicated?

New `root_path` deduplication logic in `_get_path()` has no test coverage - `sentry_sdk/integrations/asgi.py:122`

The PR adds a root_path_in_path parameter and a _RootPathInPath.EITHER branch in _get_path() (sentry_sdk/integrations/_asgi_common.py) to avoid duplicating scope["root_path"] in URLs. The branch performs non-trivial prefix detection (path.startswith(root_path + "/")) and the Starlette integration selects between EXCLUDED and EITHER based on the Starlette version (>= (0, 33)). Despite the PR description stating that tests were added to each ASGI integration, no test in the suite exercises this logic: there are zero references to root_path in any test file. The version-sensitive, prefix-detecting behavior is therefore regression-prone, with edge cases (e.g. root_path="/api", path="/api-docs") silently untested.

Also found at:

  • sentry_sdk/integrations/asgi.py:18
  • sentry_sdk/integrations/starlette.py:457
  • tests/integrations/starlette/test_starlette.py:1507

Low

EITHER mode produces double-slash URL when root_path is "/" - `sentry_sdk/integrations/_asgi_common.py:47-50`

In _get_path, when root_path_in_path is EITHER and scope["root_path"] is "/", the guard not root_path or path == root_path or path.startswith(root_path + "/") fails for normal paths: not "/" is False, "/api/users" == "/" is False, and "/api/users".startswith("//") is False. Execution falls through to return root_path + path, yielding "/" + "/api/users" = "//api/users". This produces a malformed URL/transaction name. The ASGI spec says root_path SHOULD NOT end with "/", so this only affects servers that misconfigure root_path as "/" instead of "".

Also found at:

  • sentry_sdk/integrations/asgi.py:411
4 skills analyzed
Skill Findings Duration Cost
security-review 0 6.4s $0.03
code-review 2 8m 26s $4.98
find-bugs 1 19m 46s $4.37
skill-scanner 0 10m 9s $0.03

⏱ 38m 27s · 7.4M in / 272.5k out · $9.41