ref: Add support for custom sampling context to span first (14) #5628
2 issues
Medium
Custom sampling context can overwrite span data via key collision - `sentry_sdk/tracing_utils.py:1434`
The sampling_context.update(propagation_context.custom_sampling_context) call at line 1434 allows user-provided custom sampling context to overwrite the span key. If a user calls scope.set_custom_sampling_context({"span": {...}}), it would replace the span metadata populated at lines 1423-1430, causing the traces_sampler to receive incorrect or missing span information.
custom_sampling_context can overwrite SDK-provided 'span' key in traces_sampler - `sentry_sdk/tracing_utils.py:1434`
On line 1434, sampling_context.update(propagation_context.custom_sampling_context) will overwrite any keys in sampling_context, including the 'span' key created on lines 1424-1430. If a user or integration sets custom_sampling_context with a 'span' key (e.g., via ASGI scope integration mentioned in the PR description), it will silently replace the SDK-provided span information. This breaks the contract that traces_sampler callbacks can reliably access sampling_context["span"]["name"], sampling_context["span"]["trace_id"], etc., as demonstrated in test_custom_sampling_context_update_to_context_value_persists.
4 skills analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| code-review | 1 | 3m 23s | $1.55 |
| find-bugs | 1 | 2m 46s | $3.26 |
| skill-scanner | 0 | 1m 12s | $0.48 |
| security-review | 0 | 3m 43s | $0.61 |
Duration: 11m 4s · Tokens: 3.3M in / 31.9k out · Cost: $5.92 (+extraction: $0.01, +fix_gate: $0.00, +dedup: $0.01)