Bearer · elsapet · Jun 3, 2024 · May 31, 2024
diff --git a/rules/python/third_parties/sentry.yml b/rules/python/third_parties/sentry.yml
@@ -0,0 +1,97 @@
+imports:
+  - python_shared_lang_datatype
+  - python_shared_lang_import1
+  - python_shared_lang_import2
+patterns:
+  - pattern: |
+      $<SENTRY_METHOD>($<...>$<DATA_TYPE>$<...>)
+    filters:
+      - variable: SENTRY_METHOD
+        detection: python_shared_lang_import1
+        scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [sentry_sdk]
+          - variable: NAME
+            values:
+              - add_breadcrumb
+              - set_context
+              - set_tag
+              - set_user
+      - variable: DATA_TYPE
+        detection: python_shared_lang_datatype
+        scope: result
+  - pattern: $<SCOPE>.$<METHOD>($<...>$<DATA_TYPE>$<...>)
+    filters:
+      - variable: SCOPE
+        detection: python_third_parties_sentry_scope
+        scope: cursor
+      - variable: METHOD
+        values:
+          - set_tag
+          - user
+      - variable: DATA_TYPE
+        detection: python_shared_lang_datatype
+        scope: result
+  - pattern: $<SCOPE>.$<METHOD> = $<...>$<DATA_TYPE>$<...>
+    filters:
+      - variable: SCOPE
+        detection: python_third_parties_sentry_scope
+        scope: cursor
+      - variable: METHOD
+        values:
+          - set_tag
+          - user
+      - variable: DATA_TYPE
+        detection: python_shared_lang_datatype
+        scope: result
+  - pattern: $<CRUMB>['user'] = current_user.email
+    filters:
+      - variable: CRUMB
+        detection: python_third_parties_sentry_breadcrumb
+        scope: cursor
+      - variable: DATA_TYPE
+        detection: python_shared_lang_datatype
+        scope: result
+auxiliary:
+  - id: python_third_parties_sentry_breadcrumb
+    patterns:
+      - |
+        def before_breadcrumb($<!>$<_>):
+  - id: python_third_parties_sentry_scope
+    patterns:
+      - pattern: $<SENTRY_SCOPE>.get_current_scope($<...>)
+        filters:
+          - variable: SENTRY_SCOPE
+            detection: python_shared_lang_import2
+            scope: cursor
+            filters:
+              - variable: MODULE1
+                values: [sentry_sdk]
+              - variable: MODULE2
+                values: [scope]
+              - variable: NAME
+                values: [Scope]
+languages:
+  - python
+severity: medium
+skip_data_types:
+  - Unique Identifier
+metadata:
+  description: Leakage of sensitive data to Sentry
+  remediation_message: |
+    ## Description
+
+    Leaking sensitive data to third-party loggers like Sentry is a common cause of data leaks and can lead to data breaches.
+
+    ## Remediations
+
+    - **Do** ensure all sensitive data is removed when sending data to third-party loggers like Sentry.
+
+    ## References
+    - [Sentry Docs](https://docs.sentry.io/)
+  cwe_id:
+    - 201
+  associated_recipe: Sentry
+  id: python_third_parties_sentry
+  documentation_url: https://docs.bearer.com/reference/rules/python_third_parties_sentry
diff --git a/tests/python/third_parties/sentry/test.js b/tests/python/third_parties/sentry/test.js
@@ -0,0 +1,20 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("sentry", () => {
+    const testCase = "main.py"
+
+    const results = invoke(testCase)
+
+    expect(results).toEqual({
+      Missing: [],
+      Extra: []
+    })
+  })
+})
diff --git a/tests/python/third_parties/sentry/testdata/main.py b/tests/python/third_parties/sentry/testdata/main.py
@@ -0,0 +1,38 @@
+from sentry_sdk import add_breadcrumb
+# bearer:expected python_third_parties_sentry
+add_breadcrumb(
+    category='auth',
+    message='Authenticated user %s' % user.email,
+    level='info',
+)
+
+# bearer:expected python_third_parties_sentry
+def before_breadcrumb(crumb):
+  crumb['user'] = current_user.email
+  return crumb
+
+from sentry_sdk.scope import Scope
+scope = Scope.get_current_scope()
+# bearer:expected python_third_parties_sentry
+scope.set_tag("pii", user.fullname)
+# bearer:expected python_third_parties_sentry
+scope.user = {"id": user.uuid, "email": user.email}
+
+from sentry_sdk import set_user
+# bearer:expected python_third_parties_sentry
+set_user({"id": user.uuid, "email": user.email})
+
+from sentry_sdk import set_tag
+# bearer:expected python_third_parties_sentry
+set_tag("current_user", user.email)
+
+import sentry_sdk
+# bearer:expected python_third_parties_sentry
+sentry_sdk.set_context("user", {
+  "name": user.fullname,
+  "age": user.age,
+})
+# bearer:expected python_third_parties_sentry
+sentry_sdk.set_tag("current_user", user.email)
+# bearer:expected python_third_parties_sentry
+sentry_sdk.set_user({"id": user.uuid, "email": user.email})