Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sudo): Selectively log user email on superuser access #72611

Merged
merged 7 commits into from
Jun 27, 2024
Merged

fix(sudo): Selectively log user email on superuser access #72611

merged 7 commits into from
Jun 27, 2024
+106 −1

Conversation

RyanSkonnord
Copy link
Member

This can leak PII for users from orgs other than the staff org, per https://github.com/getsentry/team-core-product-foundations/issues/315

@RyanSkonnord
fix(sudo): Avoid logging user email on superuser access
aa2c806 
This can leak PII for users from orgs other than the staff org, per
getsentry/team-core-product-foundations#315
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Jun 12, 2024
@codecov Codecov
Copy link

codecov bot commented Jun 12, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.12%. Comparing base (fcb48c7) to head (f06ccef).
Report is 2 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #72611      +/-   ##
==========================================
+ Coverage   78.00%   78.12%   +0.11%     
==========================================
  Files        6635     6622      -13     
  Lines      296661   295659    -1002     
  Branches    51087    50931     -156     
==========================================
- Hits       231416   230986     -430     
+ Misses      58863    58383     -480     
+ Partials     6382     6290      -92
Files Coverage Δ
src/sentry/conf/server.py 87.82% <100.00%> (+0.02%) ⬆️
src/sentry/middleware/superuser.py 97.36% <100.00%> (+7.36%) ⬆️

... and 943 files with indirect coverage changes

@RyanSkonnord RyanSkonnord marked this pull request as ready for review June 21, 2024 22:43
@RyanSkonnord RyanSkonnord requested a review from a team as a code owner June 21, 2024 22:43
@RyanSkonnord RyanSkonnord changed the title fix(sudo): Avoid logging user email on superuser access fix(sudo): Selectively log user email on superuser access Jun 21, 2024
@RyanSkonnord
Copy link
Member Author

Having found no good way to bind this to an actual auth provider, I've kludged in a single-purpose conf value that should do the trick. It should be pretty easy to refactor out again if anyone wants to take another pass later.

@RyanSkonnord RyanSkonnord requested a review from a team June 21, 2024 22:50
@RyanSkonnord RyanSkonnord merged commit 5bf8287 into master Jun 27, 2024
49 checks passed
@RyanSkonnord RyanSkonnord deleted the remove-user-email-from-superuser-logs branch June 27, 2024 19:43
@github-actions github-actions bot locked and limited conversation to collaborators Jul 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sentaur-athena sentaur-athena sentaur-athena approved these changes

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@RyanSkonnord @sentaur-athena