feat(autofix): Update seer explorer autofix last triggered on completion#111663
1 issue
sentry-security: Found 1 issue (1 medium)
Medium
Group lookup not scoped by organization - potential cross-org IDOR - `src/sentry/seer/autofix/on_completion_hook.py:86-99`
The code fetches a Group by ID from state.metadata.get('group_id') without validating that the group belongs to the provided organization. While the Seer API is trusted, this is inconsistent with the existing pattern in trigger_push_changes() (lines 503-505 of autofix_agent.py) which explicitly validates group_id == group.id. If Seer ever returns incorrect metadata (bug or manipulation), this could allow updating seer_explorer_autofix_last_triggered on a group in another organization, and potentially trigger webhooks/pipelines for the wrong group.
Duration: 3m 53s · Tokens: 1.7M in / 13.7k out · Cost: $2.31 (+extraction: $0.00)
Annotations
Check warning on line 99 in src/sentry/seer/autofix/on_completion_hook.py
sentry-warden / warden: sentry-security
Group lookup not scoped by organization - potential cross-org IDOR
The code fetches a Group by ID from `state.metadata.get('group_id')` without validating that the group belongs to the provided organization. While the Seer API is trusted, this is inconsistent with the existing pattern in `trigger_push_changes()` (lines 503-505 of autofix_agent.py) which explicitly validates `group_id == group.id`. If Seer ever returns incorrect metadata (bug or manipulation), this could allow updating `seer_explorer_autofix_last_triggered` on a group in another organization, and potentially trigger webhooks/pipelines for the wrong group.