test(integrations): Cover webhook header masking edge cases and secret scrubbing

billyvg · claude · billyvg · commit bfcfdcca4be2 · 2026-06-10T10:02:34.000-04:00
Lock in the security and correctness guarantees of the webhook header
masking logic that were previously only described in comments:

- CR/LF rejection guards against header injection / request splitting
- reserved-header check is case-insensitive (relies on .lower())
- a masked entry with no stored match is dropped, never persisting the
  literal mask placeholder as a real header value
- the documented rename-while-masked drop behavior is pinned
- relocation export scrubs webhook_headers so secrets never leave

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/tests/sentry/sentry_apps/api/endpoints/test_sentry_app_details.py b/tests/sentry/sentry_apps/api/endpoints/test_sentry_app_details.py
@@ -820,6 +820,72 @@ def test_clear_webhook_headers(self) -> None:
         self.published_app.refresh_from_db()
         assert self.published_app.webhook_headers == []
 
+    @override_options({"staff.ga-rollout": True})
+    def test_webhook_headers_reject_newline_injection(self) -> None:
+        # CR/LF in a header would let a caller smuggle extra headers / split the
+        # request when these are written to the outgoing webhook. The validator must
+        # reject them regardless of which line terminator is used.
+        for malicious in [
+            "X-Evil: value\r\nInjected: gotcha",
+            "X-Evil: value\nInjected: gotcha",
+            "X-Evil: value\rInjected: gotcha",
+        ]:
+            response = self.get_error_response(
+                self.published_app.slug,
+                webhookHeaders=[malicious],
+                status_code=400,
+            )
+            assert "webhookHeaders" in response.data
+            self.published_app.refresh_from_db()
+            assert self.published_app.webhook_headers == []
+
+    @override_options({"staff.ga-rollout": True})
+    def test_webhook_headers_reserved_check_is_case_insensitive(self) -> None:
+        # The reserved-name guard normalizes with .lower(), so non-canonical casing
+        # must not slip a reserved header through.
+        for reserved in ["content-TYPE: text/plain", "HOST: evil.test", "SENTRY-HOOK-foo: x"]:
+            response = self.get_error_response(
+                self.published_app.slug,
+                webhookHeaders=[reserved],
+                status_code=400,
+            )
+            assert "webhookHeaders" in response.data
+
+    @override_options({"staff.ga-rollout": True})
+    def test_webhook_headers_unmatched_masked_entry_dropped(self) -> None:
+        # A masked entry whose name matches no stored header can't be re-paired to a
+        # real value. It must be dropped rather than persisting the literal mask as a
+        # header value (which would then be sent on every outgoing webhook).
+        self.published_app.webhook_headers = ["Authorization: Bearer secret-token"]
+        self.published_app.save()
+
+        self.get_success_response(
+            self.published_app.slug,
+            webhookHeaders=[
+                f"Authorization: {MASKED_VALUE}",
+                f"X-Ghost: {MASKED_VALUE}",
+            ],
+            status_code=200,
+        )
+        self.published_app.refresh_from_db()
+        assert self.published_app.webhook_headers == ["Authorization: Bearer secret-token"]
+
+    @override_options({"staff.ga-rollout": True})
+    def test_webhook_headers_rename_while_masked_drops_entry(self) -> None:
+        # Documented limitation: renaming a header while leaving its value masked
+        # can't be matched by the new name, so the entry is dropped. This pins that
+        # behavior so any future change to it is a deliberate decision.
+        self.published_app.webhook_headers = ["Authorization: Bearer secret-token"]
+        self.published_app.save()
+
+        self.get_success_response(
+            self.published_app.slug,
+            webhookHeaders=[f"X-Renamed: {MASKED_VALUE}"],
+            status_code=200,
+        )
+        self.published_app.refresh_from_db()
+        assert self.published_app.webhook_headers == []
+
     @override_options({"staff.ga-rollout": True})
     def test_members_cant_update(self) -> None:
         with assume_test_silo_mode(SiloMode.CELL):
diff --git a/tests/sentry/sentry_apps/models/test_sentryapp.py b/tests/sentry/sentry_apps/models/test_sentryapp.py
@@ -1,3 +1,8 @@
+import orjson
+from django.core.serializers import serialize as django_serialize
+
+from sentry.backup.helpers import DatetimeSafeDjangoJSONEncoder
+from sentry.backup.sanitize import sanitize
 from sentry.constants import SentryAppStatus
 from sentry.hybridcloud.models.outbox import ControlOutbox
 from sentry.hybridcloud.outbox.category import OutboxCategory
@@ -105,3 +110,23 @@ def test_cells_with_installations(self) -> None:
             organization=self.eu_org, slug=self.sentry_app.slug, prevent_token_exchange=True
         )
         assert self.sentry_app.cells_with_installations() == {"us", "eu"}
+
+    def test_sanitize_relocation_json_scrubs_webhook_headers(self) -> None:
+        # webhook_headers can hold auth tokens, so the relocation export must never
+        # include them. Exercise the real export path: serialize -> sanitize.
+        self.sentry_app.webhook_headers = ["Authorization: Bearer super-secret-token"]
+        self.sentry_app.save()
+
+        json_data = orjson.loads(
+            django_serialize(
+                "json",
+                [self.sentry_app],
+                use_natural_foreign_keys=False,
+                cls=DatetimeSafeDjangoJSONEncoder,
+            )
+        )
+        sanitized = sanitize(json_data)
+
+        fields = sanitized[0]["fields"]
+        assert fields["webhook_headers"] == "[]"
+        assert "super-secret-token" not in orjson.dumps(sanitized).decode()
