feat(query): Reject non-datetime conditions on datetime columns#8020
feat(query): Reject non-datetime conditions on datetime columns#8020phacops wants to merge 2 commits into
Conversation
DatetimeConditionValidator previously logged a warning and let invalid queries through when a datetime column was compared to a non-datetime literal. Raise InvalidQueryException so callers get a proper 4xx response instead of a silent log line. The datetime_condition_error metric is still emitted before the raise so we can keep tracking offending callers. The original TODO from 2023 asked to flip this to an exception once product teams stopped sending bad queries; the validator has been in log-only mode for ~3 years. Co-Authored-By: Claude <noreply@anthropic.com> Agent transcript: https://claudescope.sentry.dev/share/sAb6K7VallsoyAv5s7-QhOmxc8o6NXZEdzIk6akjxsY
It would, but there's nothing else to do in I regenerated the subscriptions and I think the error went away, making this safe to merge. |
The previous check raised InvalidQueryException whenever a datetime column was compared to anything that wasn't a Python `datetime` instance. That rejected valid datetime *strings* -- e.g. `2026-06-11T17:36:06.001000+00:00` (Sentry event deletion) and `2026-06-11 14:00:00` (the legacy JSON query API) -- turning routine queries into 4xx/500s. Validate the value instead: a `datetime` instance or a string that parses via `datetime.fromisoformat` is accepted; everything else (notably bare epochs like `1726374214000`, the value behind SNUBA-ABR) is rejected. This keeps the exception behavior while shrinking the blast radius to genuinely-invalid conditions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Good catch — yes, as originally written it would have. In the executor, Rather than swallow it in the executor, I traced SNUBA-ABR to the root cause:
I also hardened this validator (latest commit): instead of rejecting anything that isn't a Python |
It's still happening so I think you should catch this in the subscriptions executor |
|
We're definitely not catching this in the executor. Also, the script to regenerate subscriptions didn't fully run. |
MeredithAnya
left a comment
MeredithAnya
left a comment
There was a problem hiding this comment.
only merge when we see the bad subscription is gone, otherwise you will suffer consequences
2 participants
Make
DatetimeConditionValidatorraiseInvalidQueryExceptionwhen a datetime column is compared to a non-datetime literal, instead of emitting a warning log and letting the query through. Callers now get a proper 4xx error rather than a silent log line that's easy to miss.This was the plan from the start — the original commit (a4569bf, Feb 2023) introduced the validator in log-only "shadow mode" with a TODO to flip it to an exception once product teams stopped sending bad queries. That follow-up never happened and the TODO has been sitting there for ~3 years. We've had plenty of time to clean up offending callers.
The
datetime_condition_errormetric is still emitted before the raise so we can keep tracking who's sending bad queries (and, if this regresses anything, know where to look).Risk
Any caller still relying on the previous log-and-pass behavior will now get a 4xx. Worth eyeballing the
datetime_condition_errormetric before merging to gauge blast radius.Agent transcript: https://claudescope.sentry.dev/share/xh6_yT5vSneLsYnzPV2YBjhBu_yRkmI2iGsg42x6aeA