fix(flags): relax StatsigEventSerializer validation for unused fields#119142
Open
sentry[bot] wants to merge 1 commit into
Open
fix(flags): relax StatsigEventSerializer validation for unused fields#119142sentry[bot] wants to merge 1 commit into
sentry[bot] wants to merge 1 commit into
Conversation
Remove overly strict validation in StatsigEventSerializer for fields
that Sentry doesn't use (value, statsigMetadata, timeUUID, unitID).
These fields caused DeserializationError when Statsig webhooks contained
unexpected formats like nested objects in user, empty strings in value,
or non-UUID strings in timeUUID.
Changes:
- Remove unused fields (value, statsigMetadata, timeUUID, unitID) from
StatsigEventSerializer. DRF silently ignores undefined fields, so
any format Statsig sends for these will be accepted.
- Remove child=serializers.CharField() from user DictField to allow
nested objects (e.g. {'custom': {'nested': 'object'}}).
- Add allow_blank=True to userID CharField for robustness.
- Add test for unexpected field formats.
Fixes SENTRY-5J6Z
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes SENTRY-5J6Z
Overly strict validation in
StatsigEventSerializerfor unused fields causesDeserializationErrorwhen processing Statsig webhooks containing unexpected formats.Root Cause
StatsigEventSerializerdefined strict type constraints on several fields that Sentry doesn't actually use in thehandle()method:userwasDictField(child=serializers.CharField())— rejected nested dictionaries (e.g.{"custom": {"nested": "object"}})valuewasCharField(required=False)— rejected empty strings (blank not allowed by default)timeUUIDwasUUIDField(required=False)— rejected non-UUID format stringsstatsigMetadataandunitID— also unused but definedWhen Statsig sent webhooks containing any of these unexpected formats, the serializer rejected the entire payload and raised a
DeserializationError, preventing valid audit log events from being processed.Fix
value,statsigMetadata,timeUUID,unitID) from the serializer entirely. DRF silently ignores undefined fields, so any format Statsig sends for these will be accepted without validation.uservalidation by removingchild=serializers.CharField()from theDictField, allowing nested objects thatget_path()already handles correctly in the handler.allow_blank=TruetouserIDfor robustness.The three required fields (
eventName,timestamp,metadata) that are actually used by the handler remain strictly validated.