fix(aiohttp): Gate url.full, url.path, url.query on send_default_pii#6650
2 issues
Medium
Parametrized `send_pii=False` path asserts nothing, leaving PII-leakage regression undetected - `tests/integrations/aiohttp/test_aiohttp.py:1510-1520`
The send_pii=False branch of this parametrized test only skips the positive assertions — it never asserts that url.full, url.path, and url.query are absent from inner_client_span["attributes"], so a regression that leaks these attributes when PII is off would silently pass. Add an else clause mirroring the pattern used in test_url_query_attribute_span_streaming (e.g. assert "url.full" not in inner_client_span["attributes"]).
Also found at:
tests/integrations/aiohttp/test_aiohttp.py:1139tests/integrations/aiohttp/test_aiohttp.py:1564-1576
Low
Test parametrized with send_pii=False never asserts URL attributes are absent on the inner client span - `tests/integrations/aiohttp/test_aiohttp.py:1564-1574`
The if send_pii: block (lines 1564–1574) of test_outgoing_client_span_span_streaming has no else branch, so when send_pii=False the test makes no assertions about url.full, url.path, or url.query on inner_client_span. A regression that leaks these PII attributes regardless of the setting would not be detected by the False parametrization. This is a test coverage gap, not a production defect.
4 skills analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| security-review | 0 | 30.7s | $0.23 |
| code-review | 1 | 4m 51s | $1.21 |
| find-bugs | 1 | 14m 16s | $1.98 |
| skill-scanner | 0 | 39.8s | $0.05 |
⏱ 20m 18s · 1.9M in / 100.5k out · $3.46