feat(developer-settings): add webhook_headers backend support#116901
feat(developer-settings): add webhook_headers backend support#116901sentry-junior[bot] wants to merge 28 commits into
1 issue
security-review: Found 1 issue (1 medium)
Medium
Custom webhook headers exposed unmasked in GET responses for published Sentry Apps - `src/sentry/sentry_apps/api/endpoints/sentry_apps.py:137`
SentryAppSerializer returns webhookHeaders verbatim in the GET response for any Sentry App, and SentryAppPermission.has_object_permission lets any authenticated user GET a published app's details. Since webhook_headers is designed to carry per-app credentials (e.g. Authorization: Bearer ...), any Sentry user can read another org's webhook secrets via GET /api/0/sentry-apps/{slug}/. Mask the values like clientSecret does, or restrict exposure to org members with org:write.
Also found at:
src/sentry/sentry_apps/api/serializers/sentry_app.py:48src/sentry/sentry_apps/api/serializers/sentry_app.py:150src/sentry/sentry_apps/logic.py:117src/sentry/sentry_apps/logic.py:352src/sentry/sentry_apps/services/app/model.py:88tests/sentry/sentry_apps/api/endpoints/test_sentry_apps.py:762-766
⏱ 13m 49s · 6.9M in / 115.7k out · $6.28
Annotations
Check warning on line 137 in src/sentry/sentry_apps/api/endpoints/sentry_apps.py
sentry-warden / warden: security-review
Custom webhook headers exposed unmasked in GET responses for published Sentry Apps
`SentryAppSerializer` returns `webhookHeaders` verbatim in the GET response for any Sentry App, and `SentryAppPermission.has_object_permission` lets any authenticated user GET a published app's details. Since `webhook_headers` is designed to carry per-app credentials (e.g. `Authorization: Bearer ...`), any Sentry user can read another org's webhook secrets via `GET /api/0/sentry-apps/{slug}/`. Mask the values like `clientSecret` does, or restrict exposure to org members with `org:write`.
Check warning on line 48 in src/sentry/sentry_apps/api/serializers/sentry_app.py
sentry-warden / warden: security-review
[XPX-475] Custom webhook headers exposed unmasked in GET responses for published Sentry Apps (additional location)
`SentryAppSerializer` returns `webhookHeaders` verbatim in the GET response for any Sentry App, and `SentryAppPermission.has_object_permission` lets any authenticated user GET a published app's details. Since `webhook_headers` is designed to carry per-app credentials (e.g. `Authorization: Bearer ...`), any Sentry user can read another org's webhook secrets via `GET /api/0/sentry-apps/{slug}/`. Mask the values like `clientSecret` does, or restrict exposure to org members with `org:write`.
Check warning on line 150 in src/sentry/sentry_apps/api/serializers/sentry_app.py
sentry-warden / warden: security-review
[XPX-475] Custom webhook headers exposed unmasked in GET responses for published Sentry Apps (additional location)
`SentryAppSerializer` returns `webhookHeaders` verbatim in the GET response for any Sentry App, and `SentryAppPermission.has_object_permission` lets any authenticated user GET a published app's details. Since `webhook_headers` is designed to carry per-app credentials (e.g. `Authorization: Bearer ...`), any Sentry user can read another org's webhook secrets via `GET /api/0/sentry-apps/{slug}/`. Mask the values like `clientSecret` does, or restrict exposure to org members with `org:write`.
Check warning on line 117 in src/sentry/sentry_apps/logic.py
sentry-warden / warden: security-review
[XPX-475] Custom webhook headers exposed unmasked in GET responses for published Sentry Apps (additional location)
`SentryAppSerializer` returns `webhookHeaders` verbatim in the GET response for any Sentry App, and `SentryAppPermission.has_object_permission` lets any authenticated user GET a published app's details. Since `webhook_headers` is designed to carry per-app credentials (e.g. `Authorization: Bearer ...`), any Sentry user can read another org's webhook secrets via `GET /api/0/sentry-apps/{slug}/`. Mask the values like `clientSecret` does, or restrict exposure to org members with `org:write`.
Check warning on line 352 in src/sentry/sentry_apps/logic.py
sentry-warden / warden: security-review
[XPX-475] Custom webhook headers exposed unmasked in GET responses for published Sentry Apps (additional location)
`SentryAppSerializer` returns `webhookHeaders` verbatim in the GET response for any Sentry App, and `SentryAppPermission.has_object_permission` lets any authenticated user GET a published app's details. Since `webhook_headers` is designed to carry per-app credentials (e.g. `Authorization: Bearer ...`), any Sentry user can read another org's webhook secrets via `GET /api/0/sentry-apps/{slug}/`. Mask the values like `clientSecret` does, or restrict exposure to org members with `org:write`.
Check warning on line 88 in src/sentry/sentry_apps/services/app/model.py
sentry-warden / warden: security-review
[XPX-475] Custom webhook headers exposed unmasked in GET responses for published Sentry Apps (additional location)
`SentryAppSerializer` returns `webhookHeaders` verbatim in the GET response for any Sentry App, and `SentryAppPermission.has_object_permission` lets any authenticated user GET a published app's details. Since `webhook_headers` is designed to carry per-app credentials (e.g. `Authorization: Bearer ...`), any Sentry user can read another org's webhook secrets via `GET /api/0/sentry-apps/{slug}/`. Mask the values like `clientSecret` does, or restrict exposure to org members with `org:write`.
Check warning on line 766 in tests/sentry/sentry_apps/api/endpoints/test_sentry_apps.py
sentry-warden / warden: security-review
[XPX-475] Custom webhook headers exposed unmasked in GET responses for published Sentry Apps (additional location)
`SentryAppSerializer` returns `webhookHeaders` verbatim in the GET response for any Sentry App, and `SentryAppPermission.has_object_permission` lets any authenticated user GET a published app's details. Since `webhook_headers` is designed to carry per-app credentials (e.g. `Authorization: Bearer ...`), any Sentry user can read another org's webhook secrets via `GET /api/0/sentry-apps/{slug}/`. Mask the values like `clientSecret` does, or restrict exposure to org members with `org:write`.