Skip to content

Commit 3930550

Browse files
authored
fix(apps): disallow Manager to rotate an app secret with org:admin scope (#92019)
https://getsentry.atlassian.net/browse/VULN-728
1 parent afcaf89 commit 3930550

File tree

2 files changed

+35
-0
lines changed

2 files changed

+35
-0
lines changed

src/sentry/sentry_apps/api/endpoints/sentry_app_rotate_secret.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
from sentry.organizations.services.organization import organization_service
1717
from sentry.sentry_apps.api.bases.sentryapps import SentryAppBaseEndpoint
1818
from sentry.sentry_apps.models.sentry_app import SentryApp
19+
from sentry.sentry_apps.utils.errors import SentryAppError
1920
from sentry.users.services.user.service import user_service
2021

2122
logger = logging.getLogger(__name__)
@@ -59,6 +60,13 @@ def has_object_permission(self, request: Request, view: object, sentry_app: Sent
5960
)
6061
raise Http404
6162

63+
for scope in sentry_app.scope_list:
64+
if not request.access.has_scope(scope):
65+
raise SentryAppError(
66+
message=f"Requested permission of {scope} exceeds requester's permission. Please contact an owner to make the requested change.",
67+
status_code=403,
68+
)
69+
6270
# permission check inside an organization
6371
allowed_scopes = set(self.scope_map.get(request.method or "", []))
6472
return any(request.access.has_scope(s) for s in allowed_scopes)

tests/sentry/sentry_apps/api/endpoints/test_sentry_app_rotate_secret.py

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,33 @@ def test_member_call(self):
3131
response = self.client.post(self.url)
3232
assert response.status_code == 403
3333

34+
def test_manager_cannot_rotate_privileged_secret(self):
35+
"""
36+
Tests that a Manager cannot rotate a secret with a high privileged scope
37+
(such as org:admin)
38+
"""
39+
other_application = ApiApplication.objects.create(owner=self.user)
40+
other_app = SentryApp.objects.create(
41+
application=other_application,
42+
owner_id=self.organization.id,
43+
name="b",
44+
slug="b",
45+
scope_list=("org:admin",),
46+
)
47+
self.url = reverse("sentry-api-0-sentry-app-rotate-secret", args=[other_app.slug])
48+
49+
other_user = self.create_user()
50+
other_manager = self.create_member(
51+
user=other_user, organization=self.organization, role="manager"
52+
)
53+
self.login_as(other_manager)
54+
response = self.client.post(self.url)
55+
assert response.status_code == 403
56+
assert (
57+
"Requested permission of org:admin exceeds requester's permission. Please contact an owner to make the requested change."
58+
in response.data["detail"]
59+
)
60+
3461
def test_non_owner_call(self):
3562
"""
3663
Tests that an authenticated user cannot rotate the secret for an app from other org.

0 commit comments

Comments
 (0)