Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security(issue-alerts): Validate the issue alert owner is a member of the organization #29962

Merged
merged 1 commit into from
Nov 12, 2021
Merged

security(issue-alerts): Validate the issue alert owner is a member of the organization #29962

merged 1 commit into from
Nov 12, 2021

Conversation

wedamija
Copy link
Member

Followup to #29939, this fixes the same problem in issue
alerts.

Also noticed some tests weren't running since they were accidentally nested. One could be removed
since it was no longer valid, put the other back in place.

@wedamija
security(issue-alerts): Validate the issue alert owner is a member of…
e86c449 
… the organization

Followup to #29939, this fixes the same problem in issue
alerts.

Also noticed some tests weren't running since they were accidentally nested. One could be removed
since it was no longer valid, put the other back in place.
@wedamija wedamija requested review from a team November 11, 2021 19:57
scefali
scefali reviewed Nov 11, 2021
View reviewed changes
tests/sentry/api/endpoints/test_project_rule_details.py
)

assert response.status_code == 400, response.content
assert str(response.data["owner"][0]) == "User is not a member of this organization"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wedamija shouldn't we give a 404 or something as to not give away that this organization exists if the user isn't part of it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The organization will already be validated at this point, so that's not a concern since the user will only hit this point if they're a member of the org. It might give away that a given user id or team id is a valid id, but it's easy enough to create a new user or team and assume that every id between 0 -> <new_id> is likely used, so we're not giving much away there either.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wedamija I'm confused. If the user is not a member of the organization and they hit this endpoint, are they going to get a 400 or a 404?

Copy link
Contributor

@scefali scefali Nov 12, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh duh...I understand now. The owner isn't necessarily the user making the request.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pr isn't changing that. There are two users involved here:

  • The user making the request. This user has to be authenticated and authorized to access the organization and project to create/modify alert rules on the project. I'm not changing this validation at all.
  • The owner of the rule. This is a parameter that the user can provide, and can be a team or a user. Previously this could be any sentry user/team, and now it's restricted to only users and teams that belong to the org. If the passed owner is from another org, then we will return a 400 here.

@wedamija wedamija requested a review from scefali November 12, 2021 22:11
scefali
scefali approved these changes Nov 12, 2021
View reviewed changes
Copy link
Contributor

@scefali scefali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wedamija I should point out that ActorField won't work with an integration token (at lleast right now).

@wedamija
Copy link
Member Author

@wedamija I should point out that ActorField won't work with an integration token (at lleast right now).

I don't think that will affect it? The ActorField doesn't look at the request at all, just parses an actor like user:123 or team:123, makes sure they're a real user/team, and that they belong to the org passed through context

@wedamija wedamija merged commit c25b2b5 into master Nov 12, 2021
@wedamija wedamija deleted the danf/issue_alerts_validate_owner branch November 12, 2021 22:45
@github-actions github-actions bot locked and limited conversation to collaborators Nov 28, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@scefali scefali scefali approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wedamija @scefali