Skip to content

fix: Data leak in ThreadingIntegration between threads #4281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 36 commits into from
Apr 15, 2025
Merged

fix: Data leak in ThreadingIntegration between threads #4281

merged 36 commits into from
Apr 15, 2025
+151 −5

Conversation

antonpirker
Copy link
Member

@antonpirker antonpirker commented Apr 11, 2025
edited
Loading

It is possible to leak data from started threads into the main thread via the scopes. (Because the same scope object from the main thread could be changed in the started thread.)
This change always makes a fork (copy) of the scopes of the main thread before it propagates those scopes into the started thread.

@codecov Codecov
Copy link

codecov bot commented Apr 11, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.55%. Comparing base (706d2d2) to head (ca8aa30).
Report is 1 commits behind head on master.

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4281      +/-   ##
==========================================
+ Coverage   79.52%   79.55%   +0.03%     
==========================================
  Files         142      142              
  Lines       15905    15917      +12     
  Branches     2721     2722       +1     
==========================================
+ Hits        12648    12663      +15     
  Misses       2390     2390              
+ Partials      867      864       -3
Files with missing lines Coverage Δ
sentry_sdk/integrations/threading.py 89.33% <100.00%> (+2.03%) ⬆️

... and 4 files with indirect coverage changes

@antonpirker antonpirker changed the title More threading tests fix: data leak in threads Apr 11, 2025
@antonpirker antonpirker changed the title fix: data leak in threads fix: Data leak in ThreadingIntegration between threads Apr 11, 2025
@antonpirker antonpirker marked this pull request as ready for review April 11, 2025 07:54
@antonpirker antonpirker requested a review from a team as a code owner April 11, 2025 07:54
szokeasaurusrex
szokeasaurusrex approved these changes Apr 11, 2025
View reviewed changes
Copy link
Member

@szokeasaurusrex szokeasaurusrex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, but check with @sl0thentr0py first (I was unclear about the outcome from the slack thread discussion)

sentrivana
sentrivana approved these changes Apr 15, 2025
View reviewed changes
Copy link
Contributor

@sentrivana sentrivana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Please check comments

sentry_sdk/integrations/threading.py
and django_version >= (3, 0)
and django_version < (4, 0)
):
warnings.warn(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is happening in Thread.start, we might log this even if a thread is started outside of Django -- but I don't think we have a way of detecting that. And since this is warnings.warn message, it should only be printed once and not spam on every Thread.start, so hopefully this is fine.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the problem with the unawaited future is only happening if old python, django and channels are used in combination. on a vanilla python project on old python versions the threading works fine.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, my point was more that someone might have Django/channels installed in their venv but uses threads in an unrelated script that has nothing to do with their Django app and they would get this warning too. But as said, I don't see a way around this

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now I get it. yes that is true. but as you said, the warning is only emitted once, so I think it is ok.

@antonpirker antonpirker merged commit 2d392af into master Apr 15, 2025
138 checks passed
@antonpirker antonpirker deleted the antonpirker/threading-tests branch April 15, 2025 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sentrivana sentrivana sentrivana approved these changes

@szokeasaurusrex szokeasaurusrex szokeasaurusrex approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@antonpirker @szokeasaurusrex @sentrivana