fix(vercel): use sensitive type for SENTRY_AUTH_TOKEN env var#115700
Open
sentry-junior[bot] wants to merge 1 commit into
Open
fix(vercel): use sensitive type for SENTRY_AUTH_TOKEN env var#115700sentry-junior[bot] wants to merge 1 commit into
sentry-junior[bot] wants to merge 1 commit into
Conversation
Change the Vercel env var type for SENTRY_AUTH_TOKEN from 'encrypted' to 'sensitive' so the value becomes write-only and cannot be read back through the Vercel API or dashboard. The Vercel API supports four env var types: system, encrypted, plain, and sensitive. Using 'sensitive' ensures the auth token is not exposed after initial creation, reducing blast radius if a Vercel account is compromised. This applies to new installs and re-configurations; existing env vars will be updated when project mappings are next saved. Refs: #113391
github-actions
Bot
added
the
Scope: Backend
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| }, | ||
| "SENTRY_AUTH_TOKEN": { | ||
| "type": "encrypted", | ||
| "type": "sensitive", |
Contributor
There was a problem hiding this comment.
Bug: Updating an existing Vercel environment variable's type to sensitive via a PATCH request is an unsupported API operation and will either fail or be silently ignored.
Severity: HIGH
Suggested Fix
To correctly change the environment variable type to sensitive, the variable must be deleted and then recreated. Implement a delete-then-create logic for environment variables when a type change from encrypted to sensitive is detected, instead of using the current PATCH update method. This may require adding a method to delete environment variables in the VercelClient.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: src/sentry/integrations/vercel/integration.py#L185
Potential issue: The code attempts to update an existing Vercel environment variable's
type from `encrypted` to `sensitive` using a `PATCH` request. According to Vercel's API
documentation, this operation is unsupported. This will either cause the API to return
an error, which will raise a `ValidationError` and break the configuration update
process for existing integrations, or the API will silently ignore the type change. If
ignored, the environment variable will remain `encrypted`, defeating the security goal
of the change for existing installations.
Did we get this right? 👍 / 👎 to inform future reviews.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes the Vercel env var type for
SENTRY_AUTH_TOKENfromencryptedtosensitiveso the value becomes write-only in Vercel — it cannot be read back through the Vercel API or dashboard after creation.The Vercel API supports four env var types:
system,encrypted,plain, andsensitive. We were usingencryptedfor all env vars including the auth token. Usingsensitivefor the auth token reduces blast radius if a Vercel account is compromised.This applies to new installs and project mapping re-configurations. Existing env vars will be updated to
sensitivewhen project mappings are next saved (the integration'supdate_organization_configcallscreate_env_varwhich falls through toupdate_env_variableonENV_ALREADY_EXISTS).Changes
src/sentry/integrations/vercel/integration.py:SENTRY_AUTH_TOKENtypeencrypted→sensitiveinVercelEnvVarMapBuilder.build()tests/sentry/integrations/vercel/test_integration.py: updatedenv_var_mapfixtures and request body assertions intest_update_org_configandtest_update_org_config_vars_existRefs #113391