Idor issue group operations #107989
Draft
Idor issue group operations #107989
+78
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit fixes a security vulnerability where users could access and modify groups from projects they don't have access to by using qualified short IDs (e.g., 'PROJECT-123'). The issue was in the get_group_list function which would fetch groups by qualified short ID without validating that the user has access to the project. Changes: - Modified get_group_list to filter groups by accessible projects when using qualified short IDs - Added comprehensive tests to verify project access validation - Handles mixed integer IDs and qualified short IDs correctly Security Impact: - Prevents unauthorized access to issue groups across projects within the same organization - Ensures all group operations (resolve, assign, merge, etc.) respect project permissions Co-authored-by: Charlie Luo <cvxluo@gmail.com>
Contributor
|
Cursor Agent can help with this pull request. Just |
github-actions
bot
added
the
Scope: Backend
Co-authored-by: Charlie Luo <cvxluo@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix: IDOR in Issue Group Operations via Qualified Short ID
This PR resolves an IDOR (Insecure Direct Object Reference) vulnerability in the
get_group_listhelper function.Why this change?
Previously, when
get_group_listwas called with qualified short IDs (e.g., "PROJECT-123"), it only validated organization membership. This allowed users to access and modify groups in projects they did not have explicit access to, as long as they were part of the same organization.How this change addresses the issue?
The
get_group_listfunction has been updated to:New tests have been added to
tests/sentry/api/helpers/test_group_index.pyto verify project access filtering and handling of mixed ID types.Legal Boilerplate
Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.
Linear Issue: ID-1351