Skip to content

fix(aiohttp): Gate url.full, url.path, url.query on send_default_pii#6650

Merged
ericapisani merged 2 commits into
masterfrom
py-2545-aiohttp-url-attr
Jun 25, 2026
Merged

fix(aiohttp): Gate url.full, url.path, url.query on send_default_pii#6650
ericapisani merged 2 commits into
masterfrom
py-2545-aiohttp-url-attr

forgot to move setting of a url.query behind the pii check

ae3ad30
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden completed Jun 24, 2026

2 issues

Medium

Parametrized `send_pii=False` path asserts nothing, leaving PII-leakage regression undetected - `tests/integrations/aiohttp/test_aiohttp.py:1510-1520`

The send_pii=False branch of this parametrized test only skips the positive assertions — it never asserts that url.full, url.path, and url.query are absent from inner_client_span["attributes"], so a regression that leaks these attributes when PII is off would silently pass. Add an else clause mirroring the pattern used in test_url_query_attribute_span_streaming (e.g. assert "url.full" not in inner_client_span["attributes"]).

Also found at:

  • tests/integrations/aiohttp/test_aiohttp.py:1139
  • tests/integrations/aiohttp/test_aiohttp.py:1564-1576

Low

Test parametrized with send_pii=False never asserts URL attributes are absent on the inner client span - `tests/integrations/aiohttp/test_aiohttp.py:1564-1574`

The if send_pii: block (lines 1564–1574) of test_outgoing_client_span_span_streaming has no else branch, so when send_pii=False the test makes no assertions about url.full, url.path, or url.query on inner_client_span. A regression that leaks these PII attributes regardless of the setting would not be detected by the False parametrization. This is a test coverage gap, not a production defect.

4 skills analyzed
Skill Findings Duration Cost
security-review 0 30.7s $0.23
code-review 1 4m 51s $1.21
find-bugs 1 14m 16s $1.98
skill-scanner 0 39.8s $0.05

⏱ 20m 18s · 1.9M in / 100.5k out · $3.46