Skip to content

Add project auth checks in external issue creation and deletion #112709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
geoffg-sentry merged 5 commits into from
Apr 15, 2026

postpone rpc_user param until next change

961dd07
Select commit
Loading
Failed to load commit list.
Merged

Add project auth checks in external issue creation and deletion #112709

postpone rpc_user param until next change
961dd07
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden completed Apr 15, 2026 in 3m 1s

1 issue

High

Project-level IDOR not fixed: user not passed to RPC prevents has_project_access enforcement - `src/sentry/sentry_apps/api/endpoints/installation_external_issues.py:48-55`

The authentication check at line 44-45 ensures the user is authenticated, but the user parameter is not passed to create_external_issue() RPC call. In impl.py:202-214, the has_project_access() check only runs when user is not None. Since user is not passed, any authenticated organization member can create external issues for groups in projects they don't have access to (violating open team membership restrictions). The org-level scoping at impl.py:184 only prevents cross-organization access, not cross-project access within the same org.

Also found at:

  • src/sentry/sentry_apps/api/endpoints/installation_external_requests.py:40-48
2 skills analyzed
Skill Findings Duration Cost
sentry-security 1 2m 53s $2.01
sentry-backend-bugs 0 1m 57s $1.86

Duration: 4m 50s · Tokens: 2.1M in / 30.6k out · Cost: $3.88 (+extraction: $0.01, +merge: $0.00, +fix_gate: $0.00, +dedup: $0.00)

View more details on @sentry/warden