raven-python icon indicating copy to clipboard operation
raven-python copied to clipboard

Published 20 hours ago verified publisher icon getsentry

Prevents access to request raw data in Flask

Open miracle2k opened this issue 10 years ago • 6 comments

This all seems to be a bit of a mess, but if you want to access the raw request data in Flask regardless of the content type (I can't control the client), you need to call

 request.get_data()

and you need to do this before accessing request.data or request.form, because both of these will call get_data() in such a way that the stream will be exhausted, parsed into the form dict, and the raw data is never cached.

This doesn't seem documented except in the comments: https://github.com/mitsuhiko/werkzeug/blob/master/werkzeug/wrappers.py#L440

Should the sentry extension call request.get_data() first to make sure the raw data is cached before using request.form?

miracle2k avatar May 27 '14 21:05 miracle2k

I've run into this issue also recently.

It makes sense that Flask doesn't want to cache the unparsed body. This could be really large in the case of file uploads. Triggering the caching is probably not best for all scenarios.

This is working for me right now

# Workaround to allow unparsed request body to be be read from cache
# This is required to validate a signature on webhooks
# This MUST go before Sentry integration as sentry triggers form parsing
@app.before_request
def enable_form_raw_cache():
  if request.path.startswith('/redacted'):
    if request.content_length > 1024 * 1024:  # 1mb
      abort(413)  # Payload too large
    request.get_data(parse_form_data=False, cache=True)

if config.SENTRY_DSN:
  sentry = Sentry(app, dsn=config.SENTRY_DSN, logging=True, level=logging.ERROR)

There might still be a better, more general solution. I'm not sure if the code that captures request.form could just be moved into an after_request and still have the same results?

groveriffic avatar Mar 04 '16 22:03 groveriffic

I don't think the raven client should force buffering of the body. That seems like a terrible idea because this could be (as mentioned) huge.

mitsuhiko avatar Mar 09 '16 20:03 mitsuhiko

Just ran into this. It took me a long time to realize that this is what was happening. @mitsuhiko could we perhaps add this issue to the docs in Sentry?

davidhariri avatar Aug 04 '16 20:08 davidhariri

Please add a big fat warning in the Sentry docs, also got bitten by this :/

jcerjak avatar Feb 28 '17 14:02 jcerjak

Also just ran into this. Why does the Sentry SDK need to access request.data or request.form? If the SDK is already accessing the data (and triggering it being parsed into a data structure that is attached the request) then I don't understand how it would be doing much for memory/performance concerns by not cacheing it.

jeteon avatar Sep 25 '18 10:09 jeteon

For what it's worth the new sentry-python SDK makes this configurable and generally is less invasive for accessing this information.

mitsuhiko avatar Sep 25 '18 10:09 mitsuhiko