Skip to content

Add project auth checks in external issue creation and deletion #112709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
geoffg-sentry merged 5 commits into from
Apr 15, 2026

postpone rpc_user param until next change

961dd07
Select commit
Loading
Failed to load commit list.
Merged

Add project auth checks in external issue creation and deletion #112709

postpone rpc_user param until next change
961dd07
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: sentry-security completed Apr 15, 2026 in 2m 58s

1 issue

sentry-security: Found 1 issue (1 high)

High

Project-level IDOR not fixed: user not passed to RPC prevents has_project_access enforcement - `src/sentry/sentry_apps/api/endpoints/installation_external_issues.py:48-55`

The authentication check at line 44-45 ensures the user is authenticated, but the user parameter is not passed to create_external_issue() RPC call. In impl.py:202-214, the has_project_access() check only runs when user is not None. Since user is not passed, any authenticated organization member can create external issues for groups in projects they don't have access to (violating open team membership restrictions). The org-level scoping at impl.py:184 only prevents cross-organization access, not cross-project access within the same org.

Also found at:

  • src/sentry/sentry_apps/api/endpoints/installation_external_requests.py:40-48

Duration: 2m 53s · Tokens: 915.5k in / 15.1k out · Cost: $2.02 (+extraction: $0.01, +merge: $0.00, +fix_gate: $0.00)

Annotations

Check failure on line 55 in src/sentry/sentry_apps/api/endpoints/installation_external_issues.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: sentry-security

Project-level IDOR not fixed: user not passed to RPC prevents has_project_access enforcement 

The authentication check at line 44-45 ensures the user is authenticated, but the `user` parameter is not passed to `create_external_issue()` RPC call. In `impl.py:202-214`, the `has_project_access()` check only runs when `user is not None`. Since `user` is not passed, any authenticated organization member can create external issues for groups in projects they don't have access to (violating open team membership restrictions). The org-level scoping at `impl.py:184` only prevents cross-organization access, not cross-project access within the same org.

Check failure on line 48 in src/sentry/sentry_apps/api/endpoints/installation_external_requests.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: sentry-security

[FLA-EA3] Project-level IDOR not fixed: user not passed to RPC prevents has_project_access enforcement (additional location) 

The authentication check at line 44-45 ensures the user is authenticated, but the `user` parameter is not passed to `create_external_issue()` RPC call. In `impl.py:202-214`, the `has_project_access()` check only runs when `user is not None`. Since `user` is not passed, any authenticated organization member can create external issues for groups in projects they don't have access to (violating open team membership restrictions). The org-level scoping at `impl.py:184` only prevents cross-organization access, not cross-project access within the same org.
View more details on @sentry/warden