Skip to content

fix(security): validate GitHub user during integration installation#67876

Merged
oioki merged 5 commits into
masterfrom
fix/oauth-validate-github-integration-user
Apr 4, 2024
Merged

fix(security): validate GitHub user during integration installation#67876
oioki merged 5 commits into
masterfrom
fix/oauth-validate-github-integration-user

Conversation

@oioki
Copy link
Copy Markdown
Member

@oioki oioki commented Mar 28, 2024

We're adding one more step in the GitHub integration installation pipeline, namely GitHub OAuth2 authorize. This is transparent from the UX perspective as the data exchange happens without user interaction.

The pipeline will now fail in these cases:

  • If there is a mismatch between currently authenticated GitHub user (derived from OAuth2 authorize step) and the user who installed the GitHub app (https://github.com/apps/sentry-io)
  • If there is a mismatch between state parameter supplied by user and pipeline signature
  • If GitHub could not generate correct access_token from the code (wrong or attempt of re-use of code).

In all those cases, this error is shown:
image

@oioki oioki requested review from a team and nhsiehgit March 28, 2024 16:05
@oioki oioki requested a review from a team as a code owner March 28, 2024 16:05
@github-actions github-actions Bot added the Scope: Backend Automatically applied to PRs that change backend components label Mar 28, 2024
nhsiehgit
nhsiehgit approved these changes Mar 28, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@nhsiehgit nhsiehgit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice 👍

This was referenced Apr 3, 2024
Closed
Closed
@oioki oioki merged commit 843d7c7 into master Apr 4, 2024
@oioki oioki deleted the fix/oauth-validate-github-integration-user branch April 4, 2024 07:33
shellmayr pushed a commit that referenced this pull request Apr 10, 2024
@oioki @shellmayr
fix(security): validate GitHub user during integration installation (#…
e16c899 
…67876)

We're adding one more step in the GitHub integration installation
pipeline, namely GitHub OAuth2 authorize. This is transparent from the
UX perspective as the data exchange happens without user interaction.

The pipeline will now fail in these cases:
- If there is a mismatch between currently authenticated GitHub user
(derived from OAuth2 authorize step) and the user who installed the
GitHub app (https://github.com/apps/sentry-io)
- If there is a mismatch between `state` parameter supplied by user and
pipeline signature
- If GitHub could not generate correct `access_token` from the `code`
(wrong or attempt of re-use of `code`).

In all those cases, this error is shown:

![image](https://github.com/getsentry/sentry/assets/1127549/18923861-2ead-4cf5-adda-7738aef801d7)
@sentry
Copy link
Copy Markdown
Contributor

sentry Bot commented Apr 11, 2024

Suspect Issues

This pull request was deployed and Sentry observed the following issues:

Did you find this useful? React with a 👍 or 👎

@github-actions github-actions Bot locked and limited conversation to collaborators Apr 26, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@nhsiehgit nhsiehgit nhsiehgit approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oioki @nhsiehgit