Sanitize oauth callback error parameter

[cursor]

This PR fixes a vulnerability where unsanitized error parameters from OAuth callbacks were directly reflected into error messages and logs.

The changes introduce a sanitization function (_sanitize_oauth_error_value) that collapses, truncates, and escapes user-provided error strings. This prevents malicious input from being injected into system logs or displayed raw to users, enhancing the security and robustness of the OAuth flow.

Regression tests confirm proper sanitization and handling of various error inputs.

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

---

 

[codecov]

❌ 2 Tests Failed:

Tests completed	Failed	Passed	Skipped
29870	2	29868	245

View the top 2 failed test(s) by shortest run time

tests.sentry.identity.test_oauth2.OAuth2CallbackViewTest::test_dispatch_handles_blank_error

Stack Traces | 0.055s run time

#x1B[1m#x1B[.../sentry/identity/test_oauth2.py#x1B[0m:192: in test_dispatch_handles_blank_error
    lifecycle.record_failure.assert_called_once_with(
#x1B[1m#x1B[.../hostedtoolcache/Python/3.13.1.../x64/lib/python3.13/unittest/mock.py#x1B[0m:988: in assert_called_once_with
    raise AssertionError(msg)
#x1B[1m#x1B[31mE   AssertionError: Expected 'record_failure' to be called once. Called 0 times.#x1B[0m

tests.sentry.identity.test_oauth2.OAuth2CallbackViewTest::test_dispatch_sanitizes_error_parameter

Stack Traces | 0.056s run time

#x1B[1m#x1B[.../sentry/identity/test_oauth2.py#x1B[0m:173: in test_dispatch_sanitizes_error_parameter
    pipeline.error.assert_called_once_with(f"{ERR_INVALID_STATE}\nError: {expected_error}")
#x1B[1m#x1B[.../hostedtoolcache/Python/3.13.1....../x64/lib/python3.13/unittest/mock.py#x1B[0m:989: in assert_called_once_with
    return self.assert_called_with(*args, **kwargs)
#x1B[1m#x1B[.../hostedtoolcache/Python/3.13.1....../x64/lib/python3.13/unittest/mock.py#x1B[0m:977: in assert_called_with
    raise AssertionError(_error_message()) from cause
#x1B[1m#x1B[31mE   AssertionError: expected call not found.#x1B[0m
#x1B[1m#x1B[31mE   Expected: error("An error occurred while validating your request.\nError: bad\\n1NjfU4n3X\\') OR 456=(SELECT 456 FROM PG_SLEEP(15))--")#x1B[0m
#x1B[1m#x1B[31mE     Actual: error("An error occurred while validating your request.\nError: bad 1NjfU4n3X') OR 456=(SELECT 456 FROM PG_SLEEP(15))--")#x1B[0m

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}