Skip to content

feat(developer-settings): add webhook_headers backend support#116901

Closed
sentry-junior[bot] wants to merge 28 commits into
masterfrom
feat/webhook-headers-backend
Closed

feat(developer-settings): add webhook_headers backend support#116901
sentry-junior[bot] wants to merge 28 commits into
masterfrom
feat/webhook-headers-backend

feat(developer-settings): add webhook_headers backend support

ddb61af
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: wrdn-data-exfil completed Jun 4, 2026 in 19m 30s

1 issue

wrdn-data-exfil: Found 1 issue (1 high)

High

webhookHeaders exposed without masking in API responses, leaking potential auth tokens to all authenticated users - `src/sentry/apidocs/examples/sentry_app_examples.py:108-141`

Custom webhook headers (which may contain Authorization: Bearer <token> or similar credentials) are returned unconditionally in SentryAppSerializer.serialize() at api/serializers/sentry_app.py:150 without the owner-membership gate that protects clientId/clientSecret; any authenticated user can retrieve them via GET /api/0/apps/?status=published.

Also found at:

  • src/sentry/sentry_apps/api/serializers/sentry_app.py:47
  • src/sentry/sentry_apps/api/serializers/sentry_app.py:150
  • src/sentry/sentry_apps/logic.py:352
  • src/sentry/sentry_apps/logic.py:436
  • src/sentry/sentry_apps/services/app/model.py:88
  • src/sentry/sentry_apps/services/app/serial.py:44
  • src/sentry/sentry_apps/logic.py:141
  • src/sentry/sentry_apps/models/sentry_app.py:129

⏱ 18m 1s · 2.9M in / 75.1k out · $4.27

Annotations

Check failure on line 141 in src/sentry/apidocs/examples/sentry_app_examples.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-data-exfil

webhookHeaders exposed without masking in API responses, leaking potential auth tokens to all authenticated users 

Custom webhook headers (which may contain `Authorization: Bearer <token>` or similar credentials) are returned unconditionally in `SentryAppSerializer.serialize()` at `api/serializers/sentry_app.py:150` without the owner-membership gate that protects `clientId`/`clientSecret`; any authenticated user can retrieve them via `GET /api/0/apps/?status=published`.

Check failure on line 47 in src/sentry/sentry_apps/api/serializers/sentry_app.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-data-exfil

[285-X8D] webhookHeaders exposed without masking in API responses, leaking potential auth tokens to all authenticated users (additional location) 

Custom webhook headers (which may contain `Authorization: Bearer <token>` or similar credentials) are returned unconditionally in `SentryAppSerializer.serialize()` at `api/serializers/sentry_app.py:150` without the owner-membership gate that protects `clientId`/`clientSecret`; any authenticated user can retrieve them via `GET /api/0/apps/?status=published`.

Check failure on line 150 in src/sentry/sentry_apps/api/serializers/sentry_app.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-data-exfil

[285-X8D] webhookHeaders exposed without masking in API responses, leaking potential auth tokens to all authenticated users (additional location) 

Custom webhook headers (which may contain `Authorization: Bearer <token>` or similar credentials) are returned unconditionally in `SentryAppSerializer.serialize()` at `api/serializers/sentry_app.py:150` without the owner-membership gate that protects `clientId`/`clientSecret`; any authenticated user can retrieve them via `GET /api/0/apps/?status=published`.

Check failure on line 352 in src/sentry/sentry_apps/logic.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-data-exfil

[285-X8D] webhookHeaders exposed without masking in API responses, leaking potential auth tokens to all authenticated users (additional location) 

Custom webhook headers (which may contain `Authorization: Bearer <token>` or similar credentials) are returned unconditionally in `SentryAppSerializer.serialize()` at `api/serializers/sentry_app.py:150` without the owner-membership gate that protects `clientId`/`clientSecret`; any authenticated user can retrieve them via `GET /api/0/apps/?status=published`.

Check failure on line 436 in src/sentry/sentry_apps/logic.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-data-exfil

[285-X8D] webhookHeaders exposed without masking in API responses, leaking potential auth tokens to all authenticated users (additional location) 

Custom webhook headers (which may contain `Authorization: Bearer <token>` or similar credentials) are returned unconditionally in `SentryAppSerializer.serialize()` at `api/serializers/sentry_app.py:150` without the owner-membership gate that protects `clientId`/`clientSecret`; any authenticated user can retrieve them via `GET /api/0/apps/?status=published`.

Check failure on line 88 in src/sentry/sentry_apps/services/app/model.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-data-exfil

[285-X8D] webhookHeaders exposed without masking in API responses, leaking potential auth tokens to all authenticated users (additional location) 

Custom webhook headers (which may contain `Authorization: Bearer <token>` or similar credentials) are returned unconditionally in `SentryAppSerializer.serialize()` at `api/serializers/sentry_app.py:150` without the owner-membership gate that protects `clientId`/`clientSecret`; any authenticated user can retrieve them via `GET /api/0/apps/?status=published`.

Check failure on line 44 in src/sentry/sentry_apps/services/app/serial.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-data-exfil

[285-X8D] webhookHeaders exposed without masking in API responses, leaking potential auth tokens to all authenticated users (additional location) 

Custom webhook headers (which may contain `Authorization: Bearer <token>` or similar credentials) are returned unconditionally in `SentryAppSerializer.serialize()` at `api/serializers/sentry_app.py:150` without the owner-membership gate that protects `clientId`/`clientSecret`; any authenticated user can retrieve them via `GET /api/0/apps/?status=published`.

Check failure on line 141 in src/sentry/sentry_apps/logic.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-data-exfil

[285-X8D] webhookHeaders exposed without masking in API responses, leaking potential auth tokens to all authenticated users (additional location) 

Custom webhook headers (which may contain `Authorization: Bearer <token>` or similar credentials) are returned unconditionally in `SentryAppSerializer.serialize()` at `api/serializers/sentry_app.py:150` without the owner-membership gate that protects `clientId`/`clientSecret`; any authenticated user can retrieve them via `GET /api/0/apps/?status=published`.

Check failure on line 129 in src/sentry/sentry_apps/models/sentry_app.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: wrdn-data-exfil

[285-X8D] webhookHeaders exposed without masking in API responses, leaking potential auth tokens to all authenticated users (additional location) 

Custom webhook headers (which may contain `Authorization: Bearer <token>` or similar credentials) are returned unconditionally in `SentryAppSerializer.serialize()` at `api/serializers/sentry_app.py:150` without the owner-membership gate that protects `clientId`/`clientSecret`; any authenticated user can retrieve them via `GET /api/0/apps/?status=published`.
View more details on @sentry/warden