Skip to content

fix(apps): disallow Manager to rotate an app secret with org:admin scope #92019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 21, 2025
Merged

fix(apps): disallow Manager to rotate an app secret with org:admin scope #92019

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions src/sentry/sentry_apps/api/endpoints/sentry_app_rotate_secret.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
from sentry.organizations.services.organization import organization_service
from sentry.sentry_apps.api.bases.sentryapps import SentryAppBaseEndpoint
from sentry.sentry_apps.models.sentry_app import SentryApp
from sentry.sentry_apps.utils.errors import SentryAppError
from sentry.users.services.user.service import user_service

logger = logging.getLogger(__name__)
Expand Down Expand Up @@ -59,6 +60,13 @@ def has_object_permission(self, request: Request, view: object, sentry_app: Sent
)
raise Http404

for scope in sentry_app.scope_list:
if not request.access.has_scope(scope):
raise SentryAppError(
message=f"Requested permission of {scope} exceeds requester's permission. Please contact an owner to make the requested change.",
status_code=403,
)

# permission check inside an organization
allowed_scopes = set(self.scope_map.get(request.method or "", []))
return any(request.access.has_scope(s) for s in allowed_scopes)
Expand Down
27 changes: 27 additions & 0 deletions tests/sentry/sentry_apps/api/endpoints/test_sentry_app_rotate_secret.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,33 @@ def test_member_call(self):
response = self.client.post(self.url)
assert response.status_code == 403

def test_manager_cannot_rotate_privileged_secret(self):
"""
Tests that a Manager cannot rotate a secret with a high privileged scope
(such as org:admin)
"""
other_application = ApiApplication.objects.create(owner=self.user)
other_app = SentryApp.objects.create(
application=other_application,
owner_id=self.organization.id,
name="b",
slug="b",
scope_list=("org:admin",),
)
self.url = reverse("sentry-api-0-sentry-app-rotate-secret", args=[other_app.slug])

other_user = self.create_user()
other_manager = self.create_member(
user=other_user, organization=self.organization, role="manager"
)
self.login_as(other_manager)
response = self.client.post(self.url)
assert response.status_code == 403
assert (
"Requested permission of org:admin exceeds requester's permission. Please contact an owner to make the requested change."
in response.data["detail"]
)

def test_non_owner_call(self):
"""
Tests that an authenticated user cannot rotate the secret for an app from other org.
Expand Down
Loading