merge master

alexander-alderman-webb · alexander-alderman-webb · commit ae7e4d73d5cf · 2026-04-09T09:47:29.000+02:00
diff --git a/sentry_sdk/_werkzeug.py b/sentry_sdk/_werkzeug.py
@@ -38,6 +38,7 @@
     from typing import Dict
     from typing import Iterator
     from typing import Tuple
+    from typing import Optional
 
 
 #
@@ -62,35 +63,41 @@ def _get_headers(environ: "Dict[str, str]") -> "Iterator[Tuple[str, str]]":
             yield key.replace("_", "-").title(), value
 
 
-#
+def _strip_default_port(host: str, scheme: "Optional[str]") -> str:
+    """Strip the port from the host if it's the default for the scheme."""
+    if scheme == "http" and host.endswith(":80"):
+        return host[:-3]
+    if scheme == "https" and host.endswith(":443"):
+        return host[:-4]
+    return host
+
+
 # `get_host` comes from `werkzeug.wsgi.get_host`
 # https://github.com/pallets/werkzeug/blob/1.0.1/src/werkzeug/wsgi.py#L145
-#
+
+
 def get_host(environ: "Dict[str, str]", use_x_forwarded_for: bool = False) -> str:
     """
     Return the host for the given WSGI environment.
     """
+    scheme = environ.get("wsgi.url_scheme")
+    if use_x_forwarded_for:
+        scheme = environ.get("HTTP_X_FORWARDED_PROTO", scheme)
+
     if use_x_forwarded_for and "HTTP_X_FORWARDED_HOST" in environ:
-        rv = environ["HTTP_X_FORWARDED_HOST"]
-        if environ["wsgi.url_scheme"] == "http" and rv.endswith(":80"):
-            rv = rv[:-3]
-        elif environ["wsgi.url_scheme"] == "https" and rv.endswith(":443"):
-            rv = rv[:-4]
+        return _strip_default_port(environ["HTTP_X_FORWARDED_HOST"], scheme)
     elif environ.get("HTTP_HOST"):
-        rv = environ["HTTP_HOST"]
-        if environ["wsgi.url_scheme"] == "http" and rv.endswith(":80"):
-            rv = rv[:-3]
-        elif environ["wsgi.url_scheme"] == "https" and rv.endswith(":443"):
-            rv = rv[:-4]
+        return _strip_default_port(environ["HTTP_HOST"], scheme)
     elif environ.get("SERVER_NAME"):
+        # SERVER_NAME/SERVER_PORT describe the internal server, so use
+        # wsgi.url_scheme (not the forwarded scheme) for port decisions.
         rv = environ["SERVER_NAME"]
         if (environ["wsgi.url_scheme"], environ["SERVER_PORT"]) not in (
             ("https", "443"),
             ("http", "80"),
         ):
             rv += ":" + environ["SERVER_PORT"]
+        return rv
     else:
         # In spite of the WSGI spec, SERVER_NAME might not be present.
-        rv = "unknown"
-
-    return rv
+        return "unknown"
diff --git a/sentry_sdk/ai/consts.py b/sentry_sdk/ai/consts.py
@@ -0,0 +1,6 @@
+import re
+
+# Matches data URLs with base64-encoded content, e.g. "data:image/png;base64,iVBORw0K..."
+DATA_URL_BASE64_REGEX = re.compile(
+    r"^data:(?:[a-zA-Z0-9][a-zA-Z0-9.+\-]*/[a-zA-Z0-9][a-zA-Z0-9.+\-]*)(?:;[a-zA-Z0-9\-]+=[^;,]*)*;base64,(?:[A-Za-z0-9+/\-_]+={0,2})$"
+)
diff --git a/sentry_sdk/ai/utils.py b/sentry_sdk/ai/utils.py
@@ -4,6 +4,7 @@
 from typing import TYPE_CHECKING
 
 from sentry_sdk._types import BLOB_DATA_SUBSTITUTE
+from sentry_sdk.ai.consts import DATA_URL_BASE64_REGEX
 
 if TYPE_CHECKING:
     from typing import Any, Callable, Dict, List, Optional, Tuple
@@ -588,6 +589,20 @@ def _find_truncation_index(messages: "List[Dict[str, Any]]", max_bytes: int) ->
     return 0
 
 
+def _is_image_type_with_blob_content(item: "Dict[str, Any]") -> bool:
+    """
+    Some content blocks contain an image_url property with base64 content as its value.
+    This is used to identify those while not leading to unnecessary copying of data when the image URL does not contain base64 content.
+    """
+    if item.get("type") != "image_url":
+        return False
+
+    image_url = item.get("image_url", {}).get("url", "")
+    data_url_match = DATA_URL_BASE64_REGEX.match(image_url)
+
+    return bool(data_url_match)
+
+
 def redact_blob_message_parts(
     messages: "List[Dict[str, Any]]",
 ) -> "List[Dict[str, Any]]":
@@ -640,7 +655,9 @@ def redact_blob_message_parts(
         content = message.get("content")
         if isinstance(content, list):
             for item in content:
-                if isinstance(item, dict) and item.get("type") == "blob":
+                if isinstance(item, dict) and (
+                    item.get("type") == "blob" or _is_image_type_with_blob_content(item)
+                ):
                     has_blobs = True
                     break
         if has_blobs:
@@ -661,8 +678,11 @@ def redact_blob_message_parts(
         content = message.get("content")
         if isinstance(content, list):
             for item in content:
-                if isinstance(item, dict) and item.get("type") == "blob":
-                    item["content"] = BLOB_DATA_SUBSTITUTE
+                if isinstance(item, dict):
+                    if item.get("type") == "blob":
+                        item["content"] = BLOB_DATA_SUBSTITUTE
+                    elif _is_image_type_with_blob_content(item):
+                        item["image_url"]["url"] = BLOB_DATA_SUBSTITUTE
 
     return messages_copy
 
diff --git a/sentry_sdk/integrations/pydantic_ai/consts.py b/sentry_sdk/integrations/pydantic_ai/consts.py
@@ -1,8 +1 @@
-import re
-
 SPAN_ORIGIN = "auto.ai.pydantic_ai"
-
-# Matches data URLs with base64-encoded content, e.g. "data:image/png;base64,iVBORw0K..."
-DATA_URL_BASE64_REGEX = re.compile(
-    r"^data:(?:[a-zA-Z0-9][a-zA-Z0-9.+\-]*/[a-zA-Z0-9][a-zA-Z0-9.+\-]*)(?:;[a-zA-Z0-9\-]+=[^;,]*)*;base64,(?:[A-Za-z0-9+/\-_]+={0,2})$"
-)
diff --git a/sentry_sdk/integrations/pydantic_ai/spans/utils.py b/sentry_sdk/integrations/pydantic_ai/spans/utils.py
@@ -5,7 +5,7 @@
 from sentry_sdk.ai.utils import get_modality_from_mime_type
 from sentry_sdk.consts import SPANDATA
 
-from ..consts import DATA_URL_BASE64_REGEX
+from sentry_sdk.ai.consts import DATA_URL_BASE64_REGEX
 
 from typing import TYPE_CHECKING
 
diff --git a/sentry_sdk/integrations/wsgi.py b/sentry_sdk/integrations/wsgi.py
@@ -57,8 +57,12 @@ def get_request_url(
     path_info = environ.get("PATH_INFO", "").lstrip("/")
     path = f"{script_name}/{path_info}"
 
+    scheme = environ.get("wsgi.url_scheme")
+    if use_x_forwarded_for:
+        scheme = environ.get("HTTP_X_FORWARDED_PROTO", scheme)
+
     return "%s://%s/%s" % (
-        environ.get("wsgi.url_scheme"),
+        scheme,
         get_host(environ, use_x_forwarded_for),
         wsgi_decoding_dance(path).lstrip("/"),
     )
diff --git a/tests/integrations/wsgi/test_wsgi.py b/tests/integrations/wsgi/test_wsgi.py
@@ -6,7 +6,11 @@
 
 import sentry_sdk
 from sentry_sdk import capture_message
-from sentry_sdk.integrations.wsgi import SentryWsgiMiddleware, _ScopedResponse
+from sentry_sdk.integrations.wsgi import (
+    SentryWsgiMiddleware,
+    _ScopedResponse,
+    get_request_url,
+)
 
 
 @pytest.fixture
@@ -547,3 +551,94 @@ def app(environ, start_response):
         assert isinstance(result, _ScopedResponse)
     else:
         assert result is response_mock
+
+
+@pytest.mark.parametrize(
+    "environ,use_x_forwarded_for,expected_url",
+    [
+        # Without use_x_forwarded_for, wsgi.url_scheme is used
+        (
+            {
+                "wsgi.url_scheme": "http",
+                "SERVER_NAME": "example.com",
+                "SERVER_PORT": "80",
+                "PATH_INFO": "/test",
+                "HTTP_X_FORWARDED_PROTO": "https",
+            },
+            False,
+            "http://example.com/test",
+        ),
+        # With use_x_forwarded_for, HTTP_X_FORWARDED_PROTO is respected
+        (
+            {
+                "wsgi.url_scheme": "http",
+                "SERVER_NAME": "example.com",
+                "SERVER_PORT": "80",
+                "PATH_INFO": "/test",
+                "HTTP_X_FORWARDED_PROTO": "https",
+            },
+            True,
+            "https://example.com/test",
+        ),
+        # With use_x_forwarded_for but no forwarded proto, wsgi.url_scheme is used
+        (
+            {
+                "wsgi.url_scheme": "http",
+                "SERVER_NAME": "example.com",
+                "SERVER_PORT": "80",
+                "PATH_INFO": "/test",
+            },
+            True,
+            "http://example.com/test",
+        ),
+        # Forwarded host with default https port is stripped using forwarded proto
+        (
+            {
+                "wsgi.url_scheme": "http",
+                "SERVER_NAME": "internal",
+                "SERVER_PORT": "80",
+                "PATH_INFO": "/test",
+                "HTTP_X_FORWARDED_PROTO": "https",
+                "HTTP_X_FORWARDED_HOST": "example.com:443",
+            },
+            True,
+            "https://example.com/test",
+        ),
+        # Forwarded host with non-default port is preserved
+        (
+            {
+                "wsgi.url_scheme": "http",
+                "SERVER_NAME": "internal",
+                "SERVER_PORT": "80",
+                "PATH_INFO": "/test",
+                "HTTP_X_FORWARDED_PROTO": "https",
+                "HTTP_X_FORWARDED_HOST": "example.com:8443",
+            },
+            True,
+            "https://example.com:8443/test",
+        ),
+        # Forwarded proto with HTTP_HOST (no forwarded host) strips default port
+        (
+            {
+                "wsgi.url_scheme": "http",
+                "HTTP_HOST": "example.com:443",
+                "SERVER_NAME": "internal",
+                "SERVER_PORT": "80",
+                "PATH_INFO": "/test",
+                "HTTP_X_FORWARDED_PROTO": "https",
+            },
+            True,
+            "https://example.com/test",
+        ),
+    ],
+    ids=[
+        "ignores_forwarded_proto_when_disabled",
+        "respects_forwarded_proto_when_enabled",
+        "falls_back_to_url_scheme_when_no_forwarded_proto",
+        "strips_default_https_port_from_forwarded_host",
+        "preserves_non_default_port_on_forwarded_host",
+        "strips_default_port_from_http_host_with_forwarded_proto",
+    ],
+)
+def test_get_request_url_x_forwarded_proto(environ, use_x_forwarded_for, expected_url):
+    assert get_request_url(environ, use_x_forwarded_for) == expected_url
diff --git a/tests/test_ai_monitoring.py b/tests/test_ai_monitoring.py
@@ -814,6 +814,71 @@ def test_redacts_blobs_in_multiple_messages(self):
         assert result[1]["content"] == "I see the image."  # Unchanged
         assert result[2]["content"][1]["content"] == BLOB_DATA_SUBSTITUTE
 
+    def test_redacts_single_blob_within_image_url_content(self):
+        messages = [
+            {
+                "role": "user",
+                "content": [
+                    {
+                        "text": "How many ponies do you see in the image?",
+                        "type": "text",
+                    },
+                    {
+                        "type": "image_url",
+                        "image_url": {"url": "data:image/jpeg;base64,/9j/4AAQSkZJRg=="},
+                    },
+                ],
+            }
+        ]
+
+        original_blob_content = messages[0]["content"][1]
+
+        result = redact_blob_message_parts(messages)
+
+        assert messages[0]["content"][1] == original_blob_content
+
+        assert (
+            result[0]["content"][0]["text"]
+            == "How many ponies do you see in the image?"
+        )
+        assert result[0]["content"][0]["type"] == "text"
+        assert result[0]["content"][1]["type"] == "image_url"
+        assert result[0]["content"][1]["image_url"]["url"] == BLOB_DATA_SUBSTITUTE
+
+    def test_does_not_redact_image_url_content_with_non_blobs(self):
+        messages = [
+            {
+                "role": "user",
+                "content": [
+                    {
+                        "text": "How many ponies do you see in the image?",
+                        "type": "text",
+                    },
+                    {
+                        "type": "image_url",
+                        "image_url": {"url": "https://example.com/image.jpg"},
+                    },
+                ],
+            }
+        ]
+
+        original_blob_content = messages[0]["content"][1]
+
+        result = redact_blob_message_parts(messages)
+
+        assert messages[0]["content"][1] == original_blob_content
+
+        assert (
+            result[0]["content"][0]["text"]
+            == "How many ponies do you see in the image?"
+        )
+        assert result[0]["content"][0]["type"] == "text"
+        assert result[0]["content"][1]["type"] == "image_url"
+        assert (
+            result[0]["content"][1]["image_url"]["url"]
+            == "https://example.com/image.jpg"
+        )
+
     def test_no_blobs_returns_original_list(self):
         """Test that messages without blobs are returned as-is (performance optimization)"""
         messages = [
