Investigate security issue in Sentry and relink the repository to Senty

[cemalokten]

Further info We've received multiple log entries (> 150) indicating that invalid values are being used where language_codes enum values are expected.

These values appear to be parts of HTML, CSS, and JavaScript strings, which suggest potential Cross-Site Scripting (XSS) attacks.

Here are some examples of the logged errors:

invalid input value for enum language_codes: "<EMBED SRC=//localhost/q6y266Gwa.swf AllowScriptAccess=always></EMBED>"

invalid input value for enum language_codes: "en"><DIV STYLE="width:expression(qss0ra91MFv=7)">"

invalid input value for enum language_codes: "<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:qss3iq19KYo=7">"

invalid input value for enum language_codes: "<STYLE type="text/css" a=3>BODY{background:url("javascript:qss3pvn320L=7")}</STYLE>"

Add any useful information here

• https://hyde-housing.sentry.io/issues/?project=5922987&referrer=sidebar&statsPeriod=14d

Related issue(s)

Add any issues here that may be dependent or must be completed before this issue can be tackled

---

[dupreesi]

Hey @cemalokten @RamyAlshurafa @cyberteenie I'm by no means an expert on this matter but great spot. I really looks like the site was under some form of attempt to do bad things (6 days ago and also 2 weeks ago). I can also see that a GET endpoint was called with multiple random params. So taking this serious is important. Here are some thoughts.

Immediate measures:

• Check the database for malicious data / scripts, also check if user/personal data was updated
• Invalidate all user sessions so that users have to log back in again
• Check if there are any helpful server logs from they day of the attack
• Make sure to further investigate the function and the api endpoint that were attacked and double check that everything is validated /sanitised and output encoded

Short term measures

• Make sure to add further error logs to the client side (on every page but at least on any function that is accessible to public, also add further params to sentry such as IP / UserId)
• Make a general audit of any inputs and endpoint (there seem to have been attempts to hit random endpoints, too)
• Check for any further leaks

[RamyAlshurafa]

Thanks @cemalokten @dupreesi I have checked the DB and didn't find any injected scripts.

[cyberteenie]

@dupreesi to speak to @RamyAlshurafa this week to see what measures are essential at this point.

[cyberteenie]

This has been looked into and deemed as secure. We will continue to monitor and put this into the backlog for now.

[cyberteenie]

Bumping the priority on this as it is causing too much disruption to the repository and costing us actions on Sentry

[cyberteenie]

Stop automation to Github from Sentry for now - Kristina to do

[cyberteenie]

I have disabled Sentry's connection to the repo. But we will need to look into this in the future.

[RamyAlshurafa]

@cyberteenie pushed a fix, i will keep monitoring Sentry and when we are sure the issue is resolved we can re-enable the Sentry automation