fix(integrations): Fix security vulnerabilities in Jira

[ceorourke]

Require a kid to be passed to the Jira installed endpoint to prevent attacks. 👶

[linear-code]

ISWF-2400 Fix Security Vulnerabilities

[github-actions]

Backend Test Failures

Failures on 6b4e119 in this run:

tests/sentry/integrations/jira/test_installed.py::JiraInstalledTest::test_with_shared_secret — log

[gw1] linux -- Python 3.13.1 /home/runner/work/sentry/sentry/.venv/bin/python3
tests/sentry/integrations/jira/test_installed.py:116: in test_with_shared_secret
    self.get_success_response(
src/sentry/testutils/cases.py:641: in get_success_response
    assert_status_code(response, 200, 300)
src/sentry/testutils/asserts.py:46: in assert_status_code
    assert minimum <= response.status_code < maximum, response
E   AssertionError: <Response status_code=400, "application/json">
E   assert 400 < 300
E    +  where 400 = <Response status_code=400, "application/json">.status_code

[github-actions]

Backend Test Failures

Failures on 57b416b in this run:

tests/sentry/integrations/jira/test_installed.py::JiraInstalledTest::test_no_claims — log

[gw1] linux -- Python 3.13.1 /home/runner/work/sentry/sentry/.venv/bin/python3
tests/sentry/integrations/jira/test_installed.py:104: in test_no_claims
    self.get_error_response(
src/sentry/testutils/cases.py:663: in get_error_response
    assert_status_code(response, status_code)
src/sentry/testutils/asserts.py:46: in assert_status_code
    assert minimum <= response.status_code < maximum, response
E   AssertionError: <Response status_code=400, "application/json">
E   assert 409 <= 400
E    +  where 400 = <Response status_code=400, "application/json">.status_code

[GabeVillalobos]

Should we broaden this to cover all exceptions? It'd be bad if some other exception case could fall through to the next parts of the installation pipeline. A 400 exception when decoding the jwt fails would probably be a better response than a 500.

[GabeVillalobos]

On a similar note, we should add some tests for these cases to ensure error handling doesn't allow the pipeline to continue, and responds with the correct status code.

[ceorourke]

I added tests for the specific errors we're catching including a DecodeError. The bots are yelling about my broader exception catching though which might be valid. I do worry I might be missing some other jwt exceptions but I'm not sure how to find them all.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit b0b411c. Configure here.}

[GabeVillalobos]

Looks good to me, pending security signoff. We should address the warden comment and wrap the peek_header call with a try:catch

[geoffg-sentry]

I noticed there's no specific tests for a fully forged JWT. We mock authenticate_asymmetric_jwt and test for error handling, but there's no test here for for sending a JWT without a kid which kinda

missed the tests