feat(wsgi): Apply data_collection filtering to URL query strings#6827
feat(wsgi): Apply data_collection filtering to URL query strings#6827ericapisani wants to merge 4 commits into
Conversation
Filter WSGI request event and span query strings through the data_collection.url_query_params behaviour (denylist/allowlist/off) instead of gating query string capture solely on send_default_pii. This brings WSGI-based integrations in line with the data collection spec's handling of cookies and headers. Rename the data_collection field query_params to url_query_params to match the updated data collection spec, which distinguishes URL query params from other key-value data (cookies, headers). Update the DataCollection/DataCollectionUserOptions TypedDicts, resolution logic in data_collection.py, and all WSGI/Flask/Django test coverage accordingly. Refs PY-2583
Codecov Results 📊✅ 93252 passed | ⏭️ 6302 skipped | Total: 99554 | Pass Rate: 93.67% | Execution Time: 327m 49s 📊 Comparison with Base Branch
All tests are passing successfully. ✅ Patch coverage is 100.00%. Project has 2479 uncovered lines. Files with missing lines (1)
Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 89.67% 89.71% +0.04%
==========================================
Files 193 193 —
Lines 24004 24097 +93
Branches 8340 8408 +68
==========================================
+ Hits 21526 21618 +92
- Misses 2478 2479 +1
- Partials 1387 1391 +4Generated by Codecov Action |
|
Moving this back to draft as, on looking at the spec again, the query parameters are not supposed to appear URL encoded in the attributes |
…orm with what is shown in the data collection spec
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit fad0c9a. Configure here.
|
|
||
| attributes["url.full"] = get_request_url(environ, use_x_forwarded_for) | ||
|
|
||
| elif should_send_default_pii(): |
There was a problem hiding this comment.
Span client address dropped
Medium Severity
_get_request_attributes uses if has_data_collection_enabled / elif should_send_default_pii(). Enabling _experiments.data_collection always takes the first branch, so client.address is never set even when send_default_pii is true.
Reviewed by Cursor Bugbot for commit fad0c9a. Configure here.
| parts.append(f"{key}={item}") | ||
| return "&".join(parts) | ||
|
|
||
| return None |
There was a problem hiding this comment.
Query rebuild splits values
Medium Severity
_apply_data_collection_filtering_to_query_string parses with parse_qs (URL-decoding values) then rebuilds with f"{key}={item}" joined by &. Decoded values that contain & or = are not escaped, so one parameter can be misread as several and filtering can misrepresent the original query.
Reviewed by Cursor Bugbot for commit fad0c9a. Configure here.


Filter WSGI request event and span query strings through the
data_collection.url_query_params behaviour (denylist/allowlist/off)
instead of gating query string capture solely on send_default_pii.
This brings WSGI-based integrations in line with the data collection
spec's handling of cookies and headers.
Rename the data_collection field query_params to url_query_params to
match the updated data collection spec, which distinguishes URL query
params from other key-value data (cookies, headers). Update the
DataCollection/DataCollectionUserOptions TypedDicts, resolution logic
in data_collection.py, and all WSGI/Flask/Django test coverage
accordingly.
Refs PY-2583