Skip to content

Mark's skepticism resolution #104920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
dcramer wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Mark's skepticism resolution #104920

dcramer wants to merge 5 commits into from
+278 −2

Conversation

@dcramer
Copy link
Member

@dcramer dcramer commented Dec 13, 2025

Fixes a High severity IDOR (Indirect Object Reference) vulnerability in the PromptsActivityEndpoint.

Previously, the endpoint allowed users to dismiss prompts for any project_id as long as it existed, without verifying that the project belonged to the user's organization. This allowed unauthorized prompt dismissals for projects in other organizations.

The fix adds organization_id=request.organization.id to the Project.objects.filter query when validating project_id, ensuring that only projects belonging to the current organization can be referenced. A new regression test has been added, and an existing test updated.

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

Slack Thread

Open in Cursor Open in Web

@cursor
Copy link
Contributor

cursor bot commented Dec 13, 2025

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
Learn more about Cursor Agents

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Dec 13, 2025
@codecov
Copy link

codecov bot commented Dec 13, 2025
edited
Loading

❌ 1 Tests Failed:

Tests completed Failed Passed Skipped
30567 1 30566 241
View the top 1 failed test(s) by shortest run time 
tests.sentry.api.endpoints.test_prompts_activity.PromptsActivityTest::test_invalid_project
Stack Traces | 2.58s run time 
#x1B[1m#x1B[.../api/endpoints/test_prompts_activity.py#x1B[0m:96: in test_invalid_project
    assert resp.data["detail"] == "Project does not belong to this organization"
#x1B[1m#x1B[31mE   AssertionError: assert 'Missing required field' == 'Project does... organization'#x1B[0m
#x1B[1m#x1B[31mE     #x1B[0m
#x1B[1m#x1B[31mE     - Project does not belong to this organization#x1B[0m
#x1B[1m#x1B[31mE     + Missing required field#x1B[0m

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dcramer @cursoragent