Merge branch 'master' into denrase/flutter-sentry-run-zoned-guarded

Author: denrase

app/platform-redirect/page.tsx

@@ -8,6 +8,8 @@ import {SmartLink} from 'sentry-docs/components/smartLink';
 import {extractPlatforms, getDocsRootNode, nodeForPath} from 'sentry-docs/docTree';
 import {setServerContext} from 'sentry-docs/serverContext';
 
+import {sanitizeNext} from './utils';
+
 export const metadata: Metadata = {
   robots: 'noindex',
   title: 'Platform Specific Content',
@@ -27,8 +29,7 @@ export default async function Page(props: {
     next = next[0];
   }
 
-  // discard the hash
-  const [pathname, _] = next.split('#');
+  const pathname = sanitizeNext(next);
   const rootNode = await getDocsRootNode();
   const defaultTitle = 'Platform Specific Content';
   let description = '';
@@ -64,7 +65,7 @@ export default async function Page(props: {
       p => p.key === requestedPlatform?.toLowerCase()
     );
     if (isValidPlatform) {
-      return redirect(`/platforms/${requestedPlatform}${next}`);
+      return redirect(`/platforms/${requestedPlatform}${pathname}`);
     }
   }
 
@@ -83,7 +84,7 @@ export default async function Page(props: {
       <ul>
         {platformList.map(p => (
           <li key={p.key}>
-            <SmartLink to={`/platforms/${p.key}${next}`}>
+            <SmartLink to={`/platforms/${p.key}${pathname}`}>
               <PlatformIcon
                 size={16}
                 platform={p.icon ?? p.key}

app/platform-redirect/utils.spec.ts

@@ -0,0 +1,46 @@
+import {describe, expect, it} from 'vitest';
+
+import {sanitizeNext} from './utils';
+
+describe('sanitizeNext', () => {
+  it('should return an empty string for external URLs', () => {
+    expect(sanitizeNext('http://example.com')).toBe('');
+    expect(sanitizeNext('https://example.com')).toBe('');
+    expect(sanitizeNext('//example.com')).toBe('');
+  });
+
+  it('should prepend a slash if missing', () => {
+    expect(sanitizeNext('path/to/resource')).toBe('/path/to/resource');
+  });
+
+  it('should not modify a valid internal path', () => {
+    expect(sanitizeNext('/path/to/resource')).toBe('/path/to/resource');
+  });
+
+  it('should remove unsafe characters', () => {
+    expect(sanitizeNext('/path/to/resource?query=1')).toBe('/path/to/resource');
+    expect(sanitizeNext('/path/to/resource#hash')).toBe('/path/to/resource');
+  });
+
+  it('should allow alphanumeric and hyphens', () => {
+    expect(sanitizeNext('/path-to/resource123')).toBe('/path-to/resource123');
+  });
+
+  it('should return an empty string for paths with colons', () => {
+    expect(sanitizeNext('/path:to/resource')).toBe('');
+  });
+
+  it('should return an empty string for the root path', () => {
+    expect(sanitizeNext('/')).toBe('');
+  });
+
+  it('should decode URL encoded characters', () => {
+    expect(sanitizeNext('/path%2Fwith%2Fslashes')).toBe('/path/with/slashes');
+  });
+
+  it('should return an empty string for a malformed URI component', () => {
+    const input = '%E0%A4%A'; // Malformed URI
+    const expectedOutput = '';
+    expect(sanitizeNext(input)).toBe(expectedOutput);
+  });
+});

app/platform-redirect/utils.ts

@@ -0,0 +1,33 @@
+export const sanitizeNext = (next: string) => {
+  // Safely decode URI component
+  let sanitizedNext: string;
+  try {
+    sanitizedNext = decodeURIComponent(next);
+  } catch (e) {
+    // Return empty string if decoding fails
+    return '';
+  }
+
+  // Validate that next is an internal path
+  if (
+    sanitizedNext.startsWith('//') ||
+    sanitizedNext.startsWith('http') ||
+    sanitizedNext.includes(':')
+  ) {
+    // Reject potentially malicious redirects
+    sanitizedNext = '';
+  }
+
+  // Ensure next starts with a forward slash and only contains safe characters
+  if (sanitizedNext && !sanitizedNext.startsWith('/')) {
+    sanitizedNext = '/' + sanitizedNext;
+  }
+
+  // Discard hash and path parameters
+  const [pathname] = sanitizedNext.split('#')[0].split('?');
+
+  // Only allow alphanumeric, hyphens
+  sanitizedNext = pathname.replace(/[^\w\-\/]/g, '');
+
+  return sanitizedNext === '/' ? '' : sanitizedNext;
+};

develop-docs/api-server/application-domains/database-migrations/index.mdx

@@ -287,7 +287,7 @@ Extra care is needed here if the table is referenced as a foreign key in other t
 
 - Make a pull request to remove all uses of the model in the codebase in a separate pull request. This mostly helps with code cleanliness. This should be merged ahead of the migration pull requests, but we don't need to worry about whether it is deployed first.
 - Make another pull request to:
-    - Remove any database level foreign key constraints from this table to other tables by setting `db_constraint=False` on the columns.
+    - Remove any database level foreign key constraints from this table to other tables by setting `db_constraint=False` on the columns. If it's a hybrid cloud foreign key, set `null=True` instead.
     - Remove the model and in the generated migration use `SafeDeleteModel(..., deletion_action=DeletionAction.MOVE_TO_PENDING)` to replace `DeleteModel(...)`. This only marks the state for the model as removed.
 - Deploy. It's important that all previous pull requests are in production before we remove the actual table.
 - Make a pull request that creates a new migration that has the same `SafeDeleteModel` operation as before, but set `deletion_action=DeletionAction.DELETE` instead. This deletes the actual table from Postgres.

develop-docs/engineering-practices/rust.mdx

@@ -50,26 +50,26 @@ During migration you may need normal functions which return futures, for their s
 
 ### Async Traits
 
-In **traits** you can not yet use `async fn` ([see this blog post](https://smallcultfollowing.com/babysteps/blog/2019/10/26/async-fn-in-traits-are-hard/)).
-In this case, functions should return `-> Pin<Box<dyn Future<Output = ...> + Send>>`:
+Support for async in **traits** has [landed in Rust](https://blog.rust-lang.org/2023/12/21/async-fn-rpit-in-traits.html)
+and should generally be preferred now.
 
 ```rust
-trait Database {
-    fn get_user(&self) -> Pin<Box<dyn Future<Output = User> + Send + '_>>;
+pub trait Database {
+    fn get_user(&self) -> impl Future<Output = User> + Send;
 }
 
-impl Database for MyDB {
-  fn get_user(&self) -> Pin<Box<dyn Future<Output = User> + Send + '_>> {
-    Box::pin(async {
-      // ...
-    })
-  }
+impl Database for MyDatabase {
+    async fn get_user(&self) -> User {
+        todo!()
+    }
 }
 ```
 
 Note that the returned future type is `Send`, to ensure that it can run on a multi-threaded runtime.
 
-This corresponds to what the [async-trait crate](https://crates.io/crates/async-trait) does.
+When you need dynamic dispatch or have to support Rust versions older than 1.75 consider using the
+[`async-trait`](https://docs.rs/async-trait/) crate.
+
 
 ### Avoid `.unwrap()`
 

develop-docs/frontend/design-tenets.mdx

@@ -58,7 +58,7 @@ Why minimize content refreshes?
 Spinners should be used carefully. Having multiple spinners on the page is distracting. Reserve spinners for primary content that has an unknown height. Favor the usage of sized placeholder elements where the height of content is known, or the content is secondary to the main goal of the page.
 
 Why use placeholders?
-- Less layout shifts / render thrash (see video below)
+- Less layout shifts / render thrash
 - Better perceived performance
 - Avoids having multiple loading spinner animations at once, which looks ugly
 

develop-docs/frontend/using-styled-components.mdx

@@ -112,6 +112,7 @@ The `style` and `css` attributes can be used, but the values of `style` are not
 ```tsx
 import styled from '@emotion/styled';
 import {css} from '@emotion/react';
+import {space} from 'sentry/styles/space';
 
 // ✅ Don't be afraid of inline styles for one-off values
 const Grid = styled('div')`

develop-docs/sdk/data-model/event-payloads/contexts.mdx

@@ -261,14 +261,17 @@ To summarize:
 
 : _Optional_. An unprocessed description string obtained by the operating system. For some well-known runtimes, Sentry will attempt to parse `name` and `version` from this string, if they are not explicitly given.
 
-`distribution`
+`distribution_name`
 
-: _Optional_. An object that provides meta-data for Linux distributions. The values correspond to entries from the [`/etc/os-release`](https://www.freedesktop.org/software/systemd/man/latest/os-release.html#Options) configuration. Contains the following keys:
+: _Optional_. A stable name for each distribution. This maps to `ID` in [`/etc/os-release`](https://www.freedesktop.org/software/systemd/man/latest/os-release.html#ID=) (examples: `ubuntu`, `rhel`, `alpine`; a full list of tested identifiers is available in the [Native SDK repository](https://github.com/getsentry/sentry-native/blob/master/tests/fixtures/os_releases/distribution_names.txt))
 
+`distribution_version`
 
-- `name`: A stable name for each distribution. This maps to `ID` in `/etc/os-release` (examples: `ubuntu`, `rhel`, `alpine`; a full list of tested identifiers is available in the [Native SDK repository](https://github.com/getsentry/sentry-native/blob/feat/add_linux_distros_to_os_context/tests/fixtures/os_releases/distribution_names.txt).
-- `version`: _Optional_. Typically identifies at least the major release version number. This maps to `VERSION_ID` in `/etc/os-release`. Distributions with rolling releases only, will not provide a version.
-- `pretty_name`: _Optional_. Typically provides the full name, full version, and release alias. This maps to `PRETTY_NAME` in `/etc/os-release` (examples: `Ubuntu 22.04.4 LTS`, `Raspian GNU/Linux 10 (buster)`).
+: _Optional_. Typically identifies at least the major release version number. This maps to `VERSION_ID` in [`/etc/os-release`](https://www.freedesktop.org/software/systemd/man/latest/os-release.html#VERSION_ID=). Distributions with rolling releases only, will not provide a version.
+
+`distribution_pretty_name`
+
+: _Optional_. Typically provides the full name, full version, and release alias. This maps to `PRETTY_NAME` in [`/etc/os-release`](https://www.freedesktop.org/software/systemd/man/latest/os-release.html#PRETTY_NAME=) (examples: `Ubuntu 22.04.4 LTS`, `Raspian GNU/Linux 10 (buster)`).
 
 ### Example OS Context
 
@@ -293,10 +296,9 @@ The OS Context for the 3 major OSs should look like this:
     "type": "os",
     "name": "Linux",
     "version": "6.1.82(99.168.amzn2023.x86_64)",
-    "distribution": {
-      "name": "amzn",
-      "version": "2023",
-      "pretty_name": "Amazon Linux 2023.4.20240401"
+    "distribution_name": "amzn",
+    "distribution_version": "2023",
+    "distribution_pretty_name": "Amazon Linux 2023.4.20240401"
     }
   }
 }
@@ -628,7 +630,7 @@ Additional information that allows Sentry to connect multiple transactions, span
 
 `span_id`
 
-: _Required_. The ID of the span.
+: _Required_. The ID of the span or transaction. For non-transaction events, and if performance monitoring is disabled, it may still be desired to attach events to a trace via a trace ID. In these cases, you still need to provide a span ID. This span ID can effectively be entirely random and doesn't need to relate to an actual span, however, it is recommended to consider using the same span ID for multiple events within the same unit-of-execution (e.g. a request). [See the TwP docs](/sdk/telemetry/traces/tracing-without-performance/#attaching-trace-data-to-events-and-envelopes) for more details.
 
 - Example: `"bb8f278130535c3c"`
 

develop-docs/sdk/processes/releases.mdx

@@ -84,7 +84,7 @@ Nice!
 
 This file is used to trigger the release from the GitHub UI.
 
-You'll notice it uses `secrets.GH_RELEASE_PAT` -- this should already be
+You'll notice it uses `vars.SENTRY_RELEASE_BOT_CLIENT_ID` and `secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY` -- these should be
 available to your repository automatically!
 
 ```yaml
@@ -105,14 +105,20 @@ jobs:
     runs-on: ubuntu-latest
     name: "Release a new version"
     steps:
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        with:
+          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
       - uses: actions/checkout@v3
         with:
-          token: ${{ secrets.GH_RELEASE_PAT }}
+          token: ${{ steps.token.outputs.token }}
           fetch-depth: 0
       - name: Prepare release
         uses: getsentry/action-prepare-release@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_RELEASE_PAT }}
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:
           version: ${{ github.event.inputs.version }}
           force: ${{ github.event.inputs.force }}
@@ -132,11 +138,16 @@ Here's [an example PR] and the [follow-up to fix `fetch-depth`].
 Give the following teams access to your repository:
 
 - `engineering` -> `write`
-- `release-bot` -> `elevated bot`
 
 You can do this self-service via the settings page of your repository:
 `https://github.com/getsentry/REPONAME_HERE/settings/access`
 
+## Create Ruleset for the Repo
+
+Download and save the [default ruleset template](/json/Default_ruleset.json) as a JSON file.
+
+Visit the ruleset setting page of your repository: `https://github.com/getsentry/REPONAME_HERE/settings/rules`, click on the green **New ruleset** button, choose **Import a ruleset**, and select the JSON file you just downloaded. You can tweak the ruleset settings, but please don't remove the App in the Bypass List.
+
 ## Making Your First Release!
 
 Navigate to the actions tab of your repository, locate the release workflow,

develop-docs/self-hosted/troubleshooting.mdx

@@ -23,6 +23,25 @@ CSRF_TRUSTED_ORIGINS = ["https://sentry.example.com", "http://10.100.10.10", "ht
 
 See [Django's documentation on CSRF](https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS) for further detail.
 
+### `sentry-data` volume not being cleaned up
+
+You may see the `sentry-data` taking too much disk space. You can clean it manually (or putting the cleanup cronjob in place).
+
+Find the Docker mountpoint for the volume by executing:
+```bash
+docker volume inspect sentry-data
+
+# Or if you prefer to do it directly (assuming you have `jq` on your system):
+docker volume inspect sentry-data | jq -r .[0].Mountpoint
+```
+
+Then run the following command to remove the contents of the volume for the last 30 days (change the `30` to whatever you want, it's in days):
+```bash
+# `/var/lib/docker/volumes/sentry-data/_data` refers to the mountpoint of the volume
+# from the output of the previous command. Change it if it's different.
+find /var/lib/docker/volumes/sentry-data/_data -type f -mtime +30 -delete
+```
+
 ## Kafka
 
 One of the most likely things to cause issues is Kafka. The most commonly reported error is