Sentry-ruby: Raven to Sentry new SDK - CSRF Issue

Created on 5 Jan 2021  路  12Comments  路  Source: getsentry/sentry-ruby

Trying to migrate Raven to Sentry new SDK, got this error while reporting

    <section class="body">
        <div class="page-header">
            <h2>CSRF Verification Failed</h2>
        </div>

        <p>A required security token was not found or was invalid.</p>

        <p>If you're continually seeing this issue, try the following:</p>

        <ol>
          <li>Clear cookies (at least for Sentry's domain).</li>
          <li>Reload the page you're trying to submit (don't re-submit data).</li>
          <li>Re-enter the information, and submit the form again.</li>
        </ol>


          <p>You are seeing this message because Sentry requires a 'Referer
           header' to be sent by your Web browser, but none was sent. This header is
           required for security reasons, to ensure that your browser is not being
           hijacked by third parties.</p>

          <p>If you have configured your browser to disable 'Referer' headers, please
           re-enable them, at least for this site, or for HTTPS connections, or for
           'same-origin' requests.</p>


        <p>Read more about <a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF on Wikipedia</a>.</p>
    </section>

I'm using the long dsn with api & secret. I don't have this problem reporting error with Raven in rails console

Environment
ruby '2.6.5'

 sentry-rails (4.1.3)
  rails (>= 5.0)
  sentry-ruby (~> 4.1.2)
sentry-ruby (4.1.2)
  concurrent-ruby (~> 1.0, >= 1.0.2)
  faraday (>= 1.0)

Raven Config

This is not necessary but could be helpful.

Sentry.init do |config|
    # config.dsn = config.dsn = CONFIG[:sentry_dns]
    config.breadcrumbs_logger = [:active_support_logger]

    # To activate performance monitoring, set one of these options.
    # We recommend adjusting the value in production:
    config.traces_sample_rate = 0.5
    # or
    config.traces_sampler = lambda do |context|
      true
    end

    config.background_worker_threads = 0
    config.enabled_environments = %w[development staging production]
end
question

All 12 comments

I don't have this problem reporting error with Raven in rails console

Do you mean calls like Sentry.capture_message("test message") work in the console but not in your application?

I'm using the long dsn with api & secret.

Although this doesn't seem relevant, we did change the way we use DSN in the new SDK. Can you use the new DSN instead and see if this still happens? You can find the new DSN under the project setting's Client Keys section (you should find it in the sidebar).

I have the same problem
I try Sentry.capture_message("test message"), still the same

I changed sentry-raven, Solve it锛孉lthough no error was reported, it was not sent successfully, There are other problems.

@niejingfa thanks for the info as well.
I think https://github.com/getsentry/sentry/issues/8049 may be relevant to this issue. @niejingfa @aovertus does your dsn have a trailing slash?

@st0012

I tried:

https://public_key:[email protected]/project_id/
https://public_key:[email protected]/project_id

https://[email protected]/project_id/
https://[email protected]/project_id

nothing works either console or directly through the app

Something is off with the dsn, what is the format I should provide ?
https://docs.sentry.io/platforms/ruby/#configure

The ones from project settings don't

currently, the example app is using https://[email protected]/5434472

so I think this format should work: https://[email protected]/project_id

@aovertus there's another possible factor: the type of Sentry and the version you use. in the new SDK we've switched the reporting endpoint from /store to /envelope, which requires 20.6.0 and above version if you use the on-premise installation.

still not working @st0012

bundle show sentry-ruby
/.rvm/gems/ruby-2.6.5/gems/sentry-ruby-4.1.2
bundle show sentry-rails
/.rvm/gems/ruby-2.6.5/gems/sentry-rails-4.1.3

20.6.0 is the version of what? Its not near the current ruby SDK version.

I inspected the http transport:

[1] pry(#<Sentry::HTTPTransport>)> @endpoint
=> "/api/144/envelope/"

I'm out of option for something which seem really simple, otherwise I just drop it and go back to Raven

@aovertus do you use self-hosted Sentry or sentry.io?

20.6.0 and above version

This is saying that if you self-host Sentry, it must be version 20.6.0 or later. But I guess you're not using a self-hosted one as you don't recognize the version format.

Let's debug it in steps:

Test your DSN alone

  1. create a file called test.rb with the content:
require "sentry-ruby"

Sentry.init do |config|
  config.dsn = YOUR_DSN
end

Sentry.capture_message("test Sentry", hint: { background: false })
  1. run bundle exec ruby test.rb

If that still doesn't work, then it means the root cause is on the dsn format. I'm not saying it's the dsn's issue though, maybe the new SDK doesn't handle certain formats properly.

Check the generated auth header

Please run this code in your Rails console:

Sentry::Transport.new(Sentry.configuration).generate_auth_header

And check if the return value's format matches the below one

"Sentry sentry_version=5, sentry_client=sentry-ruby/4.1.2, sentry_timestamp=1609984752, sentry_key=2fb45f003d054a7ea47feb45898f7649"

@st0012

Hi Stan thanks for the answer,

I did a bit of digging, the company is using a self hosted (the dsn reflect that) which is running on version 8.17.0

I'll investigate to do the upgrade of the self host solution on our side then try again,

thanks for your time!

@aovertus np 馃憤 . I'm going to label this issue as question instead and close it for now. feel free to open it if you still have the same problem after the upgrade.

It would be great to have a minimal Sentry version listed under requirements in README.md.

@yoyostile thanks for the suggestion, I've added it to sentry-ruby's readme.

Was this page helpful?
0 / 5 - 0 ratings