fix(asgi): Gate query string and client IP behind send_default_pii

ericapisani · ericapisani · commit 666e6fbccef4 · 2026-06-04T08:38:58.000-04:00
Move http.query and client.address attribute collection inside the should_send_default_pii() check so sensitive values are not captured by default. Fixes PY-2514 Fixes #6499
diff --git a/sentry_sdk/integrations/_asgi_common.py b/sentry_sdk/integrations/_asgi_common.py
@@ -121,6 +121,7 @@ def _get_request_attributes(asgi_scope: "Any") -> "dict[str, Any]":
         for header, value in headers.items():
             attributes[f"http.request.header.{header.lower()}"] = value
 
+    if should_send_default_pii():
         query = _get_query(asgi_scope)
         if query:
             attributes["http.query"] = query
@@ -129,9 +130,9 @@ def _get_request_attributes(asgi_scope: "Any") -> "dict[str, Any]":
             asgi_scope, "http" if ty == "http" else "ws", headers.get("host")
         )
 
-    client = asgi_scope.get("client")
-    if client and should_send_default_pii():
-        ip = _get_ip(asgi_scope)
-        attributes["client.address"] = ip
+        client = asgi_scope.get("client")
+        if client:
+            ip = _get_ip(asgi_scope)
+            attributes["client.address"] = ip
 
     return attributes
diff --git a/tests/integrations/asgi/test_asgi.py b/tests/integrations/asgi/test_asgi.py
@@ -164,6 +164,10 @@ def test_invalid_transaction_style(asgi3_app):
 
 
 @pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "should_send_pii",
+    [True, False],
+)
 @pytest.mark.parametrize(
     "span_streaming",
     [True, False],
@@ -174,9 +178,10 @@ async def test_capture_transaction(
     capture_events,
     capture_items,
     span_streaming,
+    should_send_pii,
 ):
     sentry_init(
-        send_default_pii=True,
+        send_default_pii=should_send_pii,
         traces_sample_rate=1.0,
         _experiments={
             "trace_lifecycle": "stream" if span_streaming else "static",
@@ -203,16 +208,18 @@ async def test_capture_transaction(
         assert span["attributes"]["sentry.span.source"] == "url"
         assert span["attributes"]["sentry.op"] == "http.server"
 
-        assert span["attributes"]["url.full"] == "http://localhost/some_url"
         assert span["attributes"]["network.protocol.name"] == "http"
         assert span["attributes"]["http.request.method"] == "GET"
-        assert span["attributes"]["http.query"] == "somevalue=123"
         assert span["attributes"]["http.request.header.host"] == "localhost"
         assert span["attributes"]["http.request.header.remote-addr"] == "127.0.0.1"
         assert (
             span["attributes"]["http.request.header.user-agent"] == "ASGI-Test-Client"
         )
 
+        if should_send_pii:
+            assert span["attributes"]["url.full"] == "http://localhost/some_url"
+            assert span["attributes"]["http.query"] == "somevalue=123"
+
     else:
         (transaction_event,) = events
 
