Skip to content

fix(flags): relax StatsigEventSerializer validation for unused fields#119142

Open
sentry[bot] wants to merge 1 commit into
masterfrom
claude/fix-statsig-serializer-validation-5j6z
Open

fix(flags): relax StatsigEventSerializer validation for unused fields#119142
sentry[bot] wants to merge 1 commit into
masterfrom
claude/fix-statsig-serializer-validation-5j6z

Conversation

@sentry

@sentry sentry Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes SENTRY-5J6Z

Overly strict validation in StatsigEventSerializer for unused fields causes DeserializationError when processing Statsig webhooks containing unexpected formats.

Root Cause

StatsigEventSerializer defined strict type constraints on several fields that Sentry doesn't actually use in the handle() method:

  • user was DictField(child=serializers.CharField()) — rejected nested dictionaries (e.g. {"custom": {"nested": "object"}})
  • value was CharField(required=False) — rejected empty strings (blank not allowed by default)
  • timeUUID was UUIDField(required=False) — rejected non-UUID format strings
  • statsigMetadata and unitID — also unused but defined

When Statsig sent webhooks containing any of these unexpected formats, the serializer rejected the entire payload and raised a DeserializationError, preventing valid audit log events from being processed.

Fix

  • Remove unused fields (value, statsigMetadata, timeUUID, unitID) from the serializer entirely. DRF silently ignores undefined fields, so any format Statsig sends for these will be accepted without validation.
  • Relax user validation by removing child=serializers.CharField() from the DictField, allowing nested objects that get_path() already handles correctly in the handler.
  • Add allow_blank=True to userID for robustness.

The three required fields (eventName, timestamp, metadata) that are actually used by the handler remain strictly validated.

Remove overly strict validation in StatsigEventSerializer for fields
that Sentry doesn't use (value, statsigMetadata, timeUUID, unitID).
These fields caused DeserializationError when Statsig webhooks contained
unexpected formats like nested objects in user, empty strings in value,
or non-UUID strings in timeUUID.

Changes:
- Remove unused fields (value, statsigMetadata, timeUUID, unitID) from
  StatsigEventSerializer. DRF silently ignores undefined fields, so
  any format Statsig sends for these will be accepted.
- Remove child=serializers.CharField() from user DictField to allow
  nested objects (e.g. {'custom': {'nested': 'object'}}).
- Add allow_blank=True to userID CharField for robustness.
- Add test for unexpected field formats.

Fixes SENTRY-5J6Z
@sentry sentry Bot requested a review from a team as a code owner July 7, 2026 19:08
@github-actions github-actions Bot added the Scope: Backend Automatically applied to PRs that change backend components label Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant