Sentry wraps an object in AnnotedValue, causing the code to fail

[cnicodeme]

How do you use Sentry?

Sentry Saas (sentry.io)

Version

1.20.0

Steps to Reproduce

I'm using AsyncMy (https://github.com/long2ice/asyncmy) as my DB connector for asynchronous connections via SQLAlchemy.

Randomly, the library was failing and I had to restart the code in order for it to work.

It took me quite some time to figure out the problem: It is Sentry that wraps a module as an AnnotatedValue, making that library unable to function properly after that.

I've opened a ticket at that library, thinking the issue was related to them : long2ice/asyncmy#60

But printing the faulty code, it initially shows this:

<module 'asyncmy.auth' from '/var/www/getfernand.com/env/lib/python3.9/site-packages/asyncmy/auth.py'>

(the auth file)

And after an error caught by Sentry, the module is then replaced by:

<sentry_sdk.utils.AnnotatedValue object at 0x7fb3a32abc40>

And this is when the problem starts!

Is there a way to either tell Stripe to not wrap that object, or to not process it, or anything that can avoid these issues ?

Thank you !

Expected Result

Sentry shouldn't wrap the module as an AnnotatedValue, or otherwise pass the attributes to the original object.

Actual Result

the "auth" module is wrapped as an sentry_sdk.utils.AnnotatedValue, causing the library to fail to find the original functions (here, scramble_native_password)

[sentrivana]

Hey @cnicodeme, thanks for reporting this. Looks like the SDK misidentifies the auth module as something that might contain sensitive data and proceeds to scrub it, which is obviously wrong.

I've been looking at a similar bug here #2109 and should have a fix for that one soon, in an ideal case it should also cover this case.

[cnicodeme]

Thanks!

Is there a way I can do something on my end now, to be sure this won't happen again until you push a fix into production ? (Except if you plan to push today :D).

A patch, an option to toggle, anything ?

[sentrivana]

Assuming my hunch is correct and it's the event scrubber doing this, you could init the SDK with send_default_pii=True but ⚠️ this has the downside of the SDK no longer scrubbing any potentially sensitive data from the events, so even things like passwords and tokens would be sent. Another option is to play around with the event_scrubber, you could create a custom one that is basically the default one but with a custom denylist that doesn't contain the string auth.

Docs on scrubbing: https://docs.sentry.io/platforms/python/guides/tryton/data-management/sensitive-data/

[cnicodeme]

Thanks! I went with this:

from sentry_sdk.scrubber import EventScrubber, DEFAULT_DENYLIST

denylist = DEFAULT_DENYLIST.copy()
denylist.remove('auth')
sentry_sdk.init(
    ...,
    event_scrubber=EventScrubber(denylist=denylist),
)

If the error occurs again after this, I'll let you know (which will indicates it's not related to the event_scrubber, but it makes sense that it is).

Do you know in which version of Sentry_sdk this issue will be resolved? That way, I'll remove that temporary fix.

Thanks!

[sentrivana]

Thanks for keeping me posted! Regarding when this goes out, I'll be able to give you a better answer once we have a fix. But assuming we have one soon, it should make it into a release (version name TBD) in a couple weeks at most.

[cnicodeme]

If you could ping me once the issue is resolved (with a SDK version), that would be awesome !

[sentrivana]

No proper fix yet, but there's another, better workaround that allows you to still continue scrubbing everything properly: #2109 (comment)

[cnicodeme]

Thank you that's interesting!

I've implemented a conditional scrubber to ignore the Asyncmy module, and it seems to work so far, but I'm eager to update to the fixed version!