Skip to content

fix(security): IDOR in OrganizationCodeMappingsEndpoint - scope Project by organization #104978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dcramer wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(security): IDOR in OrganizationCodeMappingsEndpoint - scope Project by organization #104978

dcramer wants to merge 1 commit into from
+11 −7

Conversation

@dcramer
Copy link
Member

@dcramer dcramer commented Dec 15, 2025

Summary

Fixes IDOR vulnerability in OrganizationCodeMappingsEndpoint.post() where Project was queried without organization scoping, allowing users to potentially access/probe projects from other organizations by guessing project IDs.

Changes

  • Added organization_id=organization.id to Project.objects.get() query in the POST handler
  • Updated test to verify cross-org project access returns 404 (not 403) to prevent ID enumeration

Security Impact

Before this fix, an attacker could:

  1. Probe for valid project IDs from any organization
  2. Receive different responses (403 vs 404) that leaked information about valid project IDs

Test plan

  • Regression test test_idor_project_from_different_org added to verify cross-org access is blocked
  • Existing tests pass (CI will verify)
@dcramer
fix(security): IDOR in OrganizationCodeMappingsEndpoint - scope Proje…
1d0e709 
…ct by organization

Fixes IDOR vulnerability where Project was queried without organization
scoping, allowing users to potentially access/check projects from other
organizations by guessing project IDs.

Changes:
- Added organization_id=organization.id to Project.objects.get() query
- Updated test to verify cross-org project access returns 404
@dcramer dcramer requested review from a team as code owners December 15, 2025 20:52
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Dec 15, 2025
@dcramer dcramer requested a review from a team December 15, 2025 20:54
@dcramer
Copy link
Member Author

dcramer commented Dec 15, 2025

Thanks for the review @oioki!

Re: existing mitigation - You're correct that the has_project_access check already blocked unauthorized access. This fix is a defense-in-depth improvement that:

  1. Prevents ID enumeration - Returns 404 instead of 403, so attackers can't probe for valid project IDs across organizations
  2. Fails earlier - Rejects at query time rather than post-query, eliminating timing side-channel
  3. Follows the secure-by-default pattern - Scopes the query to the organization rather than relying on a post-query permission check

As you noted, the security impact is minor since access was already blocked, but this aligns with best practices for multi-tenant data access.

Re: the test - The test wasn't deleted, it was renamed from test_project_does_not_exist to test_idor_project_from_different_org to better describe what it's testing. The expected response changed from 400 (serializer validation) to 404 (not found) because our fix now catches the cross-org case earlier in the request flow. The test is functionally equivalent - it still creates a project in a different org and verifies access is denied.

Happy to make any adjustments if you'd prefer a different approach!
@getsantry getsantry bot added the Stale label Jan 6, 2026
@getsantry
Copy link
Contributor

getsantry bot commented Jan 6, 2026

This pull request has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you add the label WIP, I will leave it alone unless WIP is removed ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀
@getsantry getsantry bot closed this Jan 14, 2026
@dcramer dcramer reopened this Jan 15, 2026
@dcramer
Copy link
Member Author

dcramer commented Jan 15, 2026

Will try to wrap up today
@dcramer dcramer force-pushed the fix/idor-organization-code-mappings branch from 1d0e709 to efeca00 Compare January 15, 2026 20:46
@dcramer
Copy link
Member Author

dcramer commented Jan 15, 2026

this is ready for merge can someone mash approve - verified the IDOR/behavior and I think its what we desire at this point

may not be ultra critical. i just wanna merge it or close it
@getsantry getsantry bot removed the Stale label Jan 16, 2026
@dcramer dcramer force-pushed the fix/idor-organization-code-mappings branch from efeca00 to 1d0e709 Compare January 16, 2026 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Scope: Backend Automatically applied to PRs that change backend components

5 participants

@dcramer @oioki @scttcper @geoffg-sentry