Skip to content

fix(integrations): Fix security vulnerabilities in Jira#112409

Open
ceorourke wants to merge 16 commits intomasterfrom
ceorourke/ISWF-2400
Open

fix(integrations): Fix security vulnerabilities in Jira#112409
ceorourke wants to merge 16 commits intomasterfrom
ceorourke/ISWF-2400

Conversation

@ceorourke
Copy link
Copy Markdown
Member

@ceorourke ceorourke commented Apr 7, 2026
edited
Loading

Require a kid to be passed to the Jira installed endpoint to prevent attacks. 👶

@linear-code
Copy link
Copy Markdown

linear-code bot commented Apr 7, 2026

ISWF-2400 Fix Security Vulnerabilities

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Apr 7, 2026
ceorourke
ceorourke commented Apr 7, 2026
View reviewed changes
sentry-warden[bot]
sentry-warden bot reviewed Apr 7, 2026
View reviewed changes
sentry-warden[bot]
sentry-warden bot reviewed Apr 7, 2026
View reviewed changes
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026

Backend Test Failures

Failures on 6b4e119 in this run:

tests/sentry/integrations/jira/test_installed.py::JiraInstalledTest::test_with_shared_secretlog 
[gw1] linux -- Python 3.13.1 /home/runner/work/sentry/sentry/.venv/bin/python3
tests/sentry/integrations/jira/test_installed.py:116: in test_with_shared_secret
    self.get_success_response(
src/sentry/testutils/cases.py:641: in get_success_response
    assert_status_code(response, 200, 300)
src/sentry/testutils/asserts.py:46: in assert_status_code
    assert minimum <= response.status_code < maximum, response
E   AssertionError: <Response status_code=400, "application/json">
E   assert 400 < 300
E    +  where 400 = <Response status_code=400, "application/json">.status_code

ceorourke and others added 2 commits April 7, 2026 14:58
@ceorourke @sentry-warden
Update src/sentry/integrations/jira/webhooks/installed.py
0deeb99 
Co-authored-by: sentry-warden[bot] <258096371+sentry-warden[bot]@users.noreply.github.com>
@ceorourke @sentry-warden
Update src/sentry/integrations/bitbucket/installed.py
80d877e 
Co-authored-by: sentry-warden[bot] <258096371+sentry-warden[bot]@users.noreply.github.com>
sentry-warden[bot]
sentry-warden bot reviewed Apr 7, 2026
View reviewed changes
sentry-warden[bot]
sentry-warden bot reviewed Apr 7, 2026
View reviewed changes
@ceorourke ceorourke changed the title fix(integrations): Fix security vulnerabilities in Jira and Bitbucket fix(integrations): Fix security vulnerabilities in Jira Apr 7, 2026
sentry-warden[bot]
sentry-warden bot reviewed Apr 7, 2026
View reviewed changes
sentry-warden[bot]
sentry-warden bot reviewed Apr 7, 2026
View reviewed changes
@getsentry getsentry deleted a comment from github-actions bot Apr 7, 2026
@ceorourke ceorourke marked this pull request as ready for review April 7, 2026 23:51
@ceorourke ceorourke requested review from a team as code owners April 7, 2026 23:51
sentry[bot]
sentry bot reviewed Apr 7, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Apr 8, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Apr 8, 2026
View reviewed changes
sentry[bot]
sentry bot reviewed Apr 8, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Apr 8, 2026
View reviewed changes
sentry[bot]
sentry bot reviewed Apr 8, 2026
View reviewed changes
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 8, 2026

Backend Test Failures

Failures on 57b416b in this run:

tests/sentry/integrations/jira/test_installed.py::JiraInstalledTest::test_no_claimslog 
[gw1] linux -- Python 3.13.1 /home/runner/work/sentry/sentry/.venv/bin/python3
tests/sentry/integrations/jira/test_installed.py:104: in test_no_claims
    self.get_error_response(
src/sentry/testutils/cases.py:663: in get_error_response
    assert_status_code(response, status_code)
src/sentry/testutils/asserts.py:46: in assert_status_code
    assert minimum <= response.status_code < maximum, response
E   AssertionError: <Response status_code=400, "application/json">
E   assert 409 <= 400
E    +  where 400 = <Response status_code=400, "application/json">.status_code

cursor[bot]
cursor bot reviewed Apr 8, 2026
View reviewed changes
@ceorourke ceorourke requested review from a team and GabeVillalobos April 8, 2026 20:18
GabeVillalobos
GabeVillalobos reviewed Apr 8, 2026
View reviewed changes
src/sentry/integrations/jira/webhooks/installed.py
return self.respond(
{"detail": "Invalid or expired signature"}, status=status.HTTP_400_BAD_REQUEST
)
except DecodeError:
Copy link
Copy Markdown
Member

@GabeVillalobos GabeVillalobos Apr 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we broaden this to cover all exceptions? It'd be bad if some other exception case could fall through to the next parts of the installation pipeline. A 400 exception when decoding the jwt fails would probably be a better response than a 500.

Copy link
Copy Markdown
Member

@GabeVillalobos GabeVillalobos Apr 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a similar note, we should add some tests for these cases to ensure error handling doesn't allow the pipeline to continue, and responds with the correct status code.

Copy link
Copy Markdown
Member Author

@ceorourke ceorourke Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added tests for the specific errors we're catching including a DecodeError. The bots are yelling about my broader exception catching though which might be valid. I do worry I might be missing some other jwt exceptions but I'm not sure how to find them all.

sentry[bot]
sentry bot reviewed Apr 8, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit b0b411c. Configure here.

@ceorourke ceorourke requested a review from geoffg-sentry April 8, 2026 21:27
GabeVillalobos
GabeVillalobos approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@GabeVillalobos GabeVillalobos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, pending security signoff. We should address the warden comment and wrap the peek_header call with a try:catch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

@sentry-warden sentry-warden[bot] sentry-warden[bot] left review comments

@GabeVillalobos GabeVillalobos GabeVillalobos approved these changes

@geoffg-sentry geoffg-sentry Awaiting requested review from geoffg-sentry

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ceorourke @GabeVillalobos