fix(explorer): Properly escape transaction names in Snuba queries (#97591)

seer-by-sentry[bot] · roaga · web-flow · commit dc6c46b2d9a7 · 2025-08-11T11:27:29.000-07:00
Fixes [SEER-2X5](https://sentry.io/organizations/sentry/issues/6803858981/). The issue was that: Transaction name containing SQL query unescaped into Snuba search query, causing parse error and 400 Bad Request. - Encloses the transaction name in double quotes when constructing the Snuba query string in `index_data.py`. This prevents parsing errors when the transaction name contains special characters, such as SQL queries. - Adds a test script `test_transaction_name_escaping.py` to verify that transaction names with problematic characters are properly escaped. This fix was generated by Seer in Sentry, triggered by Rohan Agarwal. 👁️ Run ID: 752838 Not quite right? [Click here to continue debugging with Seer.](https://sentry.io/organizations/sentry/issues/6803858981/?seerDrawer=true) ### Legal Boilerplate Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms. --------- Co-authored-by: seer-by-sentry[bot] <157164994+seer-by-sentry[bot]@users.noreply.github.com> Co-authored-by: Rohan Agarwal <rohan.agarwal@sentry.io>
diff --git a/src/sentry/seer/explorer/index_data.py b/src/sentry/seer/explorer/index_data.py
@@ -1,4 +1,5 @@
 import logging
+import re
 from datetime import UTC, datetime, timedelta
 from typing import Any
 
@@ -33,6 +34,9 @@
 
 logger = logging.getLogger(__name__)
 
+# Regex to match unescaped quotes (not preceded by backslash)
+UNESCAPED_QUOTE_RE = re.compile('(?<!\\\\)"')
+
 
 def get_transactions_for_project(project_id: int) -> list[Transaction]:
     """
@@ -137,9 +141,10 @@ def get_trace_for_transaction(transaction_name: str, project_id: int) -> TraceDa
     )
 
     # Step 1: Get trace IDs with their span counts in a single query
+    escaped_transaction_name = UNESCAPED_QUOTE_RE.sub('\\"', transaction_name)
     traces_result = Spans.run_table_query(
         params=snuba_params,
-        query_string=f"transaction:{transaction_name} project.id:{project_id}",
+        query_string=f'transaction:"{escaped_transaction_name}" project.id:{project_id}',
         selected_columns=[
             "trace",
             "count()",  # This counts all spans in each trace
@@ -462,7 +467,8 @@ def get_issues_for_transaction(transaction_name: str, project_id: int) -> Transa
     start_time = end_time - timedelta(hours=24)
 
     # Step 1: Search for issues using transaction filter
-    query = f'is:unresolved transaction:"{transaction_name}"'
+    escaped_transaction_name = UNESCAPED_QUOTE_RE.sub('\\"', transaction_name)
+    query = f'is:unresolved transaction:"{escaped_transaction_name}"'
     search_filters = parse_and_convert_issue_search_query(
         query, project.organization, [project], [], AnonymousUser()
     )
diff --git a/tests/sentry/seer/explorer/test_index_data.py b/tests/sentry/seer/explorer/test_index_data.py
@@ -706,3 +706,72 @@ def test_get_issues_for_transaction(self) -> None:
             assert (
                 "tags" in issue.events[0] or issue.events[0].get("transaction") == transaction_name
             )
+
+    def test_get_issues_for_transaction_with_quotes(self) -> None:
+        """Test that transaction names with quotes and search operators are properly escaped in search queries."""
+        # Test case 1: Transaction name with quotes that would break search syntax if not escaped
+        transaction_name_quotes = 'GET /api/users/"john"/profile'
+
+        # Create an event/issue for the transaction with quotes
+        event1 = self.store_event(
+            data={
+                "message": "Authentication failed for quoted user",
+                "tags": [["transaction", transaction_name_quotes]],
+                "fingerprint": ["auth-error-quotes"],
+                "platform": "python",
+                "timestamp": self.ten_mins_ago.isoformat(),
+                "level": "error",
+            },
+            project_id=self.project.id,
+        )
+
+        # Test case 2: Transaction name with " IN " operator that could break search syntax
+        transaction_name_in = "POST /api/check IN database/users"
+
+        # Create an event/issue for the transaction with IN operator
+        event2 = self.store_event(
+            data={
+                "message": "Database operation failed",
+                "tags": [["transaction", transaction_name_in]],
+                "fingerprint": ["database-in-error"],
+                "platform": "python",
+                "timestamp": self.ten_mins_ago.isoformat(),
+                "level": "error",
+            },
+            project_id=self.project.id,
+        )
+
+        # Verify both events were stored with correct transaction names
+        latest_event1 = event1.group.get_latest_event()
+        transaction_tag1 = latest_event1.get_tag("transaction")
+        assert transaction_tag1 == transaction_name_quotes
+
+        latest_event2 = event2.group.get_latest_event()
+        transaction_tag2 = latest_event2.get_tag("transaction")
+        assert transaction_tag2 == transaction_name_in
+
+        # Test quotes case - this should not crash despite quotes in transaction name
+        result1 = get_issues_for_transaction(transaction_name_quotes, self.project.id)
+
+        # Verify the quotes result
+        assert result1 is not None
+        assert result1.transaction_name == transaction_name_quotes
+        assert result1.project_id == self.project.id
+        assert len(result1.issues) == 1
+
+        issue1 = result1.issues[0]
+        assert issue1.id == event1.group.id
+        assert issue1.transaction == transaction_name_quotes
+
+        # Test IN operator case - this should not crash despite IN operator in transaction name
+        result2 = get_issues_for_transaction(transaction_name_in, self.project.id)
+
+        # Verify the IN operator result
+        assert result2 is not None
+        assert result2.transaction_name == transaction_name_in
+        assert result2.project_id == self.project.id
+        assert len(result2.issues) == 1
+
+        issue2 = result2.issues[0]
+        assert issue2.id == event2.group.id
+        assert issue2.transaction == transaction_name_in
