[BUG]: fields represented as `bytes` are not redacted automatically

[msladecek]

Tracer Version(s)

3.10.3

Python Version(s)

3.13.4

Pip Version(s)

N/A, using uv 0.7.21

Bug Report

Summary

We've leaked an authorization token into datadog error tracking because the captured locals were not properly sanitized.

Details

• We run ddtrace with DD_EXCEPTION_REPLAY_ENABLED=true to capture local variables on errors.
• An error occurred in our authentication middleware and the locals were captured.
• The request object, along with its component, headers were captured in full
• The authorization header was captured unredacted

The default list of redacted identifiers includes terms like "authorization", so one would think that the relevant http headers would get sanitized, but the framework we use (fastapi/starlette) lists the headers as the bytes type, not str, so the sanitization logic didn't catch it.

In the error tracking it showed up as b'authorization': b'Basic abc123...'

Reproduction Code

No response

Error Logs

No response

Libraries in Use

No response

Operating System

No response

[P403n1x87]

@msladecek thanks for reporting this and apologies for the inconvenience this might have caused. In a Python 3 world we would have expected frameworks to decode certain bytes objects to strings before presenting them to the user. We have opened a PR with a change to support these cases too going forward.

[P403n1x87]

@msladecek also please reach out to support, if you haven't done so already, if you need the leaked sensitive data to be removed.