Skip to content

feat: add SENTRY_ALLOWED_IPS to allow IP, overwrite SENTRY_DISALLOWED… #115773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
markstory merged 2 commits into from
May 22, 2026
Merged

feat: add SENTRY_ALLOWED_IPS to allow IP, overwrite SENTRY_DISALLOWED… #115773

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6cd4c31
feat: add SENTRY_ALLOWED_IPS to allow IP, overwrite SENTRY_DISALLOWED…
fe80 May 19, 2026
e42a4a9
Merge branch 'master' into feat/add-allowed-ips
markstory May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/sentry/conf/server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,8 @@ def env(
"ff00::/8",
)

SENTRY_ALLOWED_IPS: tuple[str, ...] = ()

# When resolving DNS for external sources (source map fetching, webhooks, etc),
# ensure that domains are fully resolved first to avoid poking internal
# search domains.
Expand Down
10 changes: 9 additions & 1 deletion src/sentry/net/socket.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,24 @@
ipaddress.ip_network(str(i), strict=False) for i in settings.SENTRY_DISALLOWED_IPS
)

ALLOWED_IPS = frozenset(
ipaddress.ip_network(str(i), strict=False) for i in settings.SENTRY_ALLOWED_IPS
)


@functools.lru_cache(maxsize=100)
def is_ipaddress_allowed(ip: str) -> bool:
Comment thread
fe80 marked this conversation as resolved.
"""
Test if a given IP address is allowed or not
based on the DISALLOWED_IPS rules.
based on the DISALLOWED_IPS AND ALLOWED_IPS rules.
"""
if not DISALLOWED_IPS:
return True
ip_address = ipaddress.ip_address(force_str(ip, strings_only=True))
for ip_network in ALLOWED_IPS:
if ip_address in ip_network:
return True
Comment thread
fe80 marked this conversation as resolved.

for ip_network in DISALLOWED_IPS:
if ip_address in ip_network:
return False
Expand Down
17 changes: 16 additions & 1 deletion src/sentry/testutils/helpers/socket.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

from sentry.net import socket as net_socket

__all__ = ["override_blocklist"]
__all__ = ["override_blocklist", "override_allowlist"]


@contextlib.contextmanager
Expand All @@ -23,3 +23,18 @@ def override_blocklist(*ip_addresses: str) -> Generator[None]:
# We end up caching these disallowed ips on this function, so
# make sure we clear the cache as part of cleanup
net_socket.is_ipaddress_allowed.cache_clear()

Comment thread
cursor[bot] marked this conversation as resolved.

@contextlib.contextmanager
def override_allowlist(*ip_addresses: str) -> Generator[None]:
with mock.patch.object(
net_socket,
"ALLOWED_IPS",
frozenset(ipaddress.ip_network(ip) for ip in ip_addresses),
):
try:
yield
finally:
# We end up caching these disallowed ips on this function, so
# make sure we clear the cache as part of cleanup
net_socket.is_ipaddress_allowed.cache_clear()
22 changes: 19 additions & 3 deletions tests/sentry/net/test_socket.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@

from sentry.net.socket import ensure_fqdn, is_ipaddress_allowed, is_safe_hostname
from sentry.testutils.cases import TestCase
from sentry.testutils.helpers import override_blocklist
from sentry.testutils.helpers import override_allowlist, override_blocklist


class SocketTest(TestCase):
@override_blocklist("10.0.0.0/8", "127.0.0.1")
def test_is_ipaddress_allowed(self) -> None:
def test_is_ipaddress_blocked(self) -> None:
Comment thread
cursor[bot] marked this conversation as resolved.
is_ipaddress_allowed.cache_clear()
assert is_ipaddress_allowed("127.0.0.1") is False
is_ipaddress_allowed.cache_clear()
Expand All @@ -18,7 +18,7 @@ def test_is_ipaddress_allowed(self) -> None:
assert is_ipaddress_allowed("1.1.1.1") is True

@override_blocklist("::ffff:10.0.0.0/104", "::1/128")
def test_is_ipaddress_allowed_ipv6(self) -> None:
def test_is_ipaddress_blocked_ipv6(self) -> None:
is_ipaddress_allowed.cache_clear()
assert is_ipaddress_allowed("::1") is False
is_ipaddress_allowed.cache_clear()
Expand All @@ -28,6 +28,22 @@ def test_is_ipaddress_allowed_ipv6(self) -> None:
is_ipaddress_allowed.cache_clear()
assert is_ipaddress_allowed("2001:db8:a::123") is True

@override_blocklist("10.0.0.0/8")
@override_allowlist("10.0.0.1/32")
def test_is_ipaddress_allowed(self) -> None:
is_ipaddress_allowed.cache_clear()
assert is_ipaddress_allowed("10.0.1.1") is False
is_ipaddress_allowed.cache_clear()
assert is_ipaddress_allowed("10.0.0.1") is True

@override_blocklist("::ffff:10.0.0.0/104")
@override_allowlist("::ffff:10.0.0.1/128")
def test_is_ipaddress_allowed_ipv6(self) -> None:
is_ipaddress_allowed.cache_clear()
assert is_ipaddress_allowed("::ffff:10.0.1.2") is False
is_ipaddress_allowed.cache_clear()
assert is_ipaddress_allowed("::ffff:10.0.0.1") is True

@override_blocklist("10.0.0.0/8", "127.0.0.1")
@patch("socket.getaddrinfo")
def test_is_safe_hostname(self, mock_getaddrinfo: MagicMock) -> None:
Expand Down
Loading