Skip to content

fix(seer): Validate project permissions in trace explorer AI query#106432

Merged
oioki merged 4 commits intomasterfrom
fix-trace-explorer-idor-vulnerability
Jan 16, 2026
Merged

fix(seer): Validate project permissions in trace explorer AI query#106432
oioki merged 4 commits intomasterfrom
fix-trace-explorer-idor-vulnerability

Conversation

@oioki
Copy link
Member

@oioki oioki commented Jan 16, 2026
edited
Loading

Fixes AIML-1708
Also adds missing tests for the TraceExplorerAIQuery endpoint.

@oioki
fix(seer): Validate project permissions in trace explorer AI query
4ea38ba 
The endpoint was directly trusting user-supplied project IDs without validation, creating an IDOR vulnerability that could allow users to access trace data from projects they don't have permission to view.

Use self.get_projects() to properly validate that the user has access to the requested projects before passing them to the Seer API.
@oioki oioki requested a review from a team as a code owner January 16, 2026 07:40
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Jan 16, 2026
@oioki
fix: Convert project_ids to set for proper validation
f8fc1fa 
The get_projects() method expects project_ids as set[int], but we were
passing a list. This caused validation failures because list != set even
when they contain the same elements.
sentry[bot]
sentry bot reviewed Jan 16, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Jan 16, 2026
View reviewed changes
Copy link
Contributor

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

oioki added 2 commits January 16, 2026 09:42
@oioki
add tests
211beab
@oioki
fix(seer): Fix empty project_ids validation and test hang
769fca5 
Fixed two issues in trace explorer AI query endpoint:

1. Test hang: Mock send_translate_request now returns proper dict instead
   of MagicMock to prevent JSON serialization hang in tests

2. Empty project_ids bug: Validate raw_project_ids before calling
   get_projects() to prevent empty list from falling back to all user's
   projects. The condition `if raw_project_ids else None` was treating
   empty list as None, bypassing the required parameter validation.

Changes:
- Move validation earlier in flow to check raw input
- Remove conditional that converts empty list to None
- Add test for empty project_ids with valid query
- Replace team permission test with stronger cross-org access test
- Remove debug print statements
@getsentry getsentry deleted a comment from linear bot Jan 16, 2026
@oioki oioki merged commit 85758f5 into master Jan 16, 2026
67 checks passed
@oioki oioki deleted the fix-trace-explorer-idor-vulnerability branch January 16, 2026 16:08
@github-actions github-actions bot locked and limited conversation to collaborators Feb 1, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

@JoshFerge JoshFerge JoshFerge approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oioki @JoshFerge