You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.
In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:
subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'
If you'd want to not pass any variables, you can set an empty dict:
subprocess.check_output(["env"], env={})
b''
However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.
Impact
The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:
In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.
Package and Versions
Package: sentry-sdk (pip)
Affected Version(s): < 2.8.0
Patched Version(s): 2.8.0
Description
The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.
In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:
Impact
The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.
Patches
The issue has been patched in getsentry/sentry-python#3251 and the fix released in sentry-sdk==2.8.0.
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:
In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.
OR
Disable Stdlib integration:
import sentry_sdk
Should go before sentry_sdk.init
sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")
sentry_sdk.init(...)
CVSS 3.1 Score and Vector
Information
Sentry docs: Default integrations
Python docs: subprocess module
Patch getsentry/sentry-python#3251
Credit: kmichel-aiven
The text was updated successfully, but these errors were encountered: