search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
38.49k stars 4.11k forks source link

Sentry environments allows malicious data #26125

Open taylor-cedar opened 3 years ago

taylor-cedar commented 3 years ago

Important Details

How are you running Sentry?

On-Premise w/ Docker, version 21.1.0

Description

Bad actors are manipulating the environment values and creating fake environments in our system.

Steps to Reproduce

  1. Go to environments page. See that SQL injection attempts and other bad data is in the environments list Screen Shot 2021-05-18 at 3 59 09 PM

What you expected to happen

Be able to set an allowed list of environments so people can't create fake environments

getsentry-release commented 3 years ago

Routing to @getsentry/visibility for triage. ⏲️

getsentry-release commented 3 years ago

Routing to @getsentry/workflow for triage. ⏲️

BYK commented 3 years ago

Sounds somewhat related to getsentry/relay#1015. Thoughts @jan-auer?

davidenwang commented 3 years ago

Thanks for writing in, this seems reasonable and we have been discussing it internally. We will add it to our backlog for now.

adhiraj commented 3 years ago

To add some color, this is due to anyone being able to send your sentry instance data, which has other side effects, so we're looking into whether solving this holistically makes more sense than fixing it in just environments (which we realize is probably one of the more prominent areas affected).

taylor-cedar commented 3 years ago

this is due to anyone being able to send your sentry instance data, which has other side effects

@adhiraj Just wondering. Is this not expected? We have it sending messages from client side Javascript (which is public). Is this dangerous from a security perspective?

BYK commented 3 years ago

@taylor-cedar it is expected and it is safe. We already have safe guards in place for certain types of abuse and your DSNs are safe to expose publicly:

https://docs.sentry.io/product/sentry-basics/dsn-explainer/#dsn-utilization

DSNs are safe to keep public because they only allow submission of new events and related event data; they do not allow read access to any information.

This work is just extending our abuse protection, especially around these newer features.

jan-auer commented 3 years ago

I think this is a relevant feature request. Even though sending fake environments into Sentry will not create a security issue, it does have an impact on the developers' experience in Sentry. A large list of environments is harder to navigate and clutters certain views, especially with dropdown lists.

We will add this to our backlog for further internal discussion. Thank you for raising this topic!