fix(apps): disallow Manager to rotate an app secret with org:admin scope (#92019)

https://getsentry.atlassian.net/browse/VULN-728

Author: oioki

src/sentry/sentry_apps/api/endpoints/sentry_app_rotate_secret.py

@@ -16,6 +16,7 @@
 from sentry.organizations.services.organization import organization_service
 from sentry.sentry_apps.api.bases.sentryapps import SentryAppBaseEndpoint
 from sentry.sentry_apps.models.sentry_app import SentryApp
+from sentry.sentry_apps.utils.errors import SentryAppError
 from sentry.users.services.user.service import user_service
 
 logger = logging.getLogger(__name__)
@@ -59,6 +60,13 @@ def has_object_permission(self, request: Request, view: object, sentry_app: Sent
             )
             raise Http404
 
+        for scope in sentry_app.scope_list:
+            if not request.access.has_scope(scope):
+                raise SentryAppError(
+                    message=f"Requested permission of {scope} exceeds requester's permission. Please contact an owner to make the requested change.",
+                    status_code=403,
+                )
+
         # permission check inside an organization
         allowed_scopes = set(self.scope_map.get(request.method or "", []))
         return any(request.access.has_scope(s) for s in allowed_scopes)

tests/sentry/sentry_apps/api/endpoints/test_sentry_app_rotate_secret.py

@@ -31,6 +31,33 @@ def test_member_call(self):
         response = self.client.post(self.url)
         assert response.status_code == 403
 
+    def test_manager_cannot_rotate_privileged_secret(self):
+        """
+        Tests that a Manager cannot rotate a secret with a high privileged scope
+        (such as org:admin)
+        """
+        other_application = ApiApplication.objects.create(owner=self.user)
+        other_app = SentryApp.objects.create(
+            application=other_application,
+            owner_id=self.organization.id,
+            name="b",
+            slug="b",
+            scope_list=("org:admin",),
+        )
+        self.url = reverse("sentry-api-0-sentry-app-rotate-secret", args=[other_app.slug])
+
+        other_user = self.create_user()
+        other_manager = self.create_member(
+            user=other_user, organization=self.organization, role="manager"
+        )
+        self.login_as(other_manager)
+        response = self.client.post(self.url)
+        assert response.status_code == 403
+        assert (
+            "Requested permission of org:admin exceeds requester's permission. Please contact an owner to make the requested change."
+            in response.data["detail"]
+        )
+
     def test_non_owner_call(self):
         """
         Tests that an authenticated user cannot rotate the secret for an app from other org.