Skip to content

Add project auth checks in external issue creation and deletion#112709

Merged
geoffg-sentry merged 5 commits intomasterfrom
geoffg-sentry/harden-issue-linking
Apr 15, 2026
Merged

Add project auth checks in external issue creation and deletion#112709
geoffg-sentry merged 5 commits intomasterfrom
geoffg-sentry/harden-issue-linking

Conversation

@geoffg-sentry
Copy link
Copy Markdown
Contributor

@geoffg-sentry geoffg-sentry commented Apr 10, 2026
edited
Loading

After #112605 I went hunting for some other vulnerabilities around external issue linking with some specific criteria for VULN-1434:

  • Enforce project-level access and respect open team membership
  • Maintain the control/cell boundaries, no redrawing of the silos and keep changes in RPC

Found and fixed some in external issue creation and deletion while passing issueIDs in the same org:

  • Refactored _extract_lazy_object since it was private to installation_external_issue_actions
  • create_external_issue POST now auth checks with has_project_access, killing an IDOR
  • delete_external_issue DELETE does the same, killing another IDOR
  • get_select_options called with a projectId could hit other projects you weren't scoped for, hardened

Updated schema in getsentry/sentry-api-schema#66

Now split properly to make User optional in the first merge, followed up by making it a requirement in the next PR. Will be enforced afterward

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Apr 10, 2026
@geoffg-sentry geoffg-sentry changed the title (fix): idors in external issue linking and some hardening Add project auth checks in external issue creation and deletion Apr 10, 2026
@geoffg-sentry geoffg-sentry marked this pull request as ready for review April 10, 2026 18:58
@geoffg-sentry geoffg-sentry requested review from a team as code owners April 10, 2026 18:58
@geoffg-sentry geoffg-sentry mentioned this pull request Apr 10, 2026
Merged
@geoffg-sentry geoffg-sentry requested review from a team April 10, 2026 19:17
markstory
markstory reviewed Apr 13, 2026
View reviewed changes
Comment thread src/sentry/sentry_apps/api/bases/sentryapps.py Outdated
Comment thread src/sentry/sentry_apps/services/cell/impl.py Outdated
Comment thread src/sentry/sentry_apps/services/cell/impl.py Outdated
Comment thread src/sentry/sentry_apps/services/cell/impl.py Outdated
Comment thread src/sentry/sentry_apps/services/cell/impl.py Outdated
Comment thread src/sentry/sentry_apps/services/cell/impl.py Outdated
Comment thread src/sentry/sentry_apps/services/cell/impl.py
@geoffg-sentry geoffg-sentry mentioned this pull request Apr 14, 2026
Merged
sentry[bot]
sentry bot reviewed Apr 14, 2026
View reviewed changes
Comment thread src/sentry/sentry_apps/api/endpoints/installation_external_issue_actions.py
sentry-warden[bot]
sentry-warden bot reviewed Apr 14, 2026
View reviewed changes
Comment thread src/sentry/sentry_apps/api/endpoints/installation_external_requests.py Outdated
@geoffg-sentry geoffg-sentry requested a review from markstory April 14, 2026 15:31
markstory
markstory reviewed Apr 15, 2026
View reviewed changes
Comment thread src/sentry/sentry_apps/api/endpoints/installation_external_issues.py Outdated
Comment thread src/sentry/sentry_apps/api/endpoints/installation_external_requests.py Outdated
Comment thread src/sentry/sentry_apps/services/cell/impl.py
sentry[bot]
sentry bot reviewed Apr 15, 2026
View reviewed changes
Comment thread src/sentry/sentry_apps/api/endpoints/installation_external_issues.py
@geoffg-sentry geoffg-sentry requested a review from markstory April 15, 2026 16:51
markstory
markstory approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@markstory markstory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@geoffg-sentry geoffg-sentry merged commit 2d1edc9 into master Apr 15, 2026
78 checks passed
@geoffg-sentry geoffg-sentry deleted the geoffg-sentry/harden-issue-linking branch April 15, 2026 19:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@sentry-warden sentry-warden[bot] sentry-warden[bot] left review comments

@markstory markstory markstory approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@geoffg-sentry @markstory