Overview

File CVE-2024-40647-do-not-leak-environment.patch of Package python-sentry-sdk

From 763e40aa4cb57ecced467f48f78f335c87e9bdff Mon Sep 17 00:00:00 2001
From: Ivana Kellyer <ivana.kellyer@sentry.io>
Date: Mon, 8 Jul 2024 09:38:14 +0200
Subject: [PATCH] fix(integrations): don't send full env to subprocess (#3251)

During the arguments modification to `subprocess.Popen.__init__`,
an explicitly empty environment of `{}` is incorrectly confused with a `None`
environment. This causes sentry to pass the entire environment of the
parent process instead of sending just the injected environment variables.

Fix it by only replacing the environment with `os.environ` if the variable
is None, and not just falsy.

---------

Co-authored-by: Kevin Michel <kevin.michel@aiven.io>
---
 sentry_sdk/integrations/stdlib.py            |  6 +++++-
 tests/integrations/stdlib/test_subprocess.py | 13 +++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

Index: sentry-python-0.14.4/sentry_sdk/integrations/stdlib.py
===================================================================
--- sentry-python-0.14.4.orig/sentry_sdk/integrations/stdlib.py
+++ sentry-python-0.14.4/sentry_sdk/integrations/stdlib.py
@@ -180,7 +180,13 @@ def _install_subprocess():
 
         for k, v in hub.iter_trace_propagation_headers():
             if env is None:
-                env = _init_argument(a, kw, "env", 10, lambda x: dict(x or os.environ))
+                env = _init_argument(
+                    a,
+                    kw,
+                    "env",
+                    10,
+                    lambda x: dict(x if x is not None else os.environ),
+                )
             env["SUBPROCESS_" + k.upper().replace("-", "_")] = v
 
         with hub.start_span(op="subprocess", description=description) as span:
Index: sentry-python-0.14.4/tests/integrations/stdlib/test_subprocess.py
===================================================================
--- sentry-python-0.14.4.orig/tests/integrations/stdlib/test_subprocess.py
+++ sentry-python-0.14.4/tests/integrations/stdlib/test_subprocess.py
@@ -174,6 +174,19 @@ def test_subprocess_basic(
         assert sys.executable + " -c" in subprocess_init_span["description"]
 
 
+def test_subprocess_empty_env(sentry_init, monkeypatch):
+    monkeypatch.setenv("TEST_MARKER", "should_not_be_seen")
+    sentry_init(integrations=[StdlibIntegration()], traces_sample_rate=1.0)
+    with start_transaction(name="foo"):
+        args = [
+            sys.executable,
+            "-c",
+            "import os; print(os.environ.get('TEST_MARKER', None))",
+        ]
+        output = subprocess.check_output(args, env={}, universal_newlines=True)
+    assert "should_not_be_seen" not in output
+
+
 def test_subprocess_invalid_args(sentry_init):
     sentry_init(integrations=[StdlibIntegration()])
openSUSE Build Service is sponsored by
Places