Skip to content

GitHub OAuth Security Enhancement#17

Open
ShashankFC wants to merge 1 commit into
oauth-state-vulnerablefrom
oauth-state-secure
Open

GitHub OAuth Security Enhancement#17
ShashankFC wants to merge 1 commit into
oauth-state-vulnerablefrom
oauth-state-secure

Conversation

@ShashankFC

@ShashankFC ShashankFC commented Jan 22, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Test 4

Summary by CodeRabbit

  • New Features

    • Added OAuth-based GitHub login flow integration for seamless authentication

  • Bug Fixes

    • Enhanced installation validation to prevent mismatches between authenticated users and installations
    • Improved error messaging and handling for invalid installation requests, conflicts, and pending deletions

  • Tests

    • Expanded test coverage for GitHub installation flows and error scenarios

✏️ Tip: You can customize this high-level summary in your review settings.

Replicated from ai-code-review-evaluation/sentry-coderabbit#4

Note

Medium Risk
Touches the GitHub installation entry flow and adds new OAuth token exchange/user verification logic; mistakes could block installs or create edge-case regressions, though scope is limited to setup paths.

Overview
Adds a new OAuthLoginView step to the GitHub integration pipeline that performs a GitHub OAuth round-trip, exchanges the code for an access token, fetches the authenticated user (/user), and stores the login in pipeline state before continuing the install.

Hardens GitHubInstallation by reusing installation_id from pipeline state and rejecting installs when the authenticated GitHub user doesn’t match the integration’s recorded sender.login, and centralizes failure rendering via a shared error() helper (including customer-domain document_origin).

Updates PipelineAdvancerView to special-case only github for direct-from-GitHub install redirects, and expands tests to cover the OAuth redirect/callback flow plus new error cases (invalid state/installation and user mismatch).

Written by Cursor Bugbot for commit 843d7c7. Configure here.

@oioki
fix(security): validate GitHub user during integration installation (…
843d7c7 
…#67876)

We're adding one more step in the GitHub integration installation
pipeline, namely GitHub OAuth2 authorize. This is transparent from the
UX perspective as the data exchange happens without user interaction.

The pipeline will now fail in these cases:
- If there is a mismatch between currently authenticated GitHub user
(derived from OAuth2 authorize step) and the user who installed the
GitHub app (https://github.com/apps/sentry-io)
- If there is a mismatch between `state` parameter supplied by user and
pipeline signature
- If GitHub could not generate correct `access_token` from the `code`
(wrong or attempt of re-use of `code`).

In all those cases, this error is shown:

![image](https://github.com/getsentry/sentry/assets/1127549/18923861-2ead-4cf5-adda-7738aef801d7)
@ShashankFC

ShashankFC commented Feb 12, 2026

Copy link
Copy Markdown
Contributor Author

bugbot run

cursor[bot]
cursor Bot reviewed Feb 12, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

Comment thread src/sentry/integrations/github/integration.py
pipeline.fetch_state("github_authenticated_user")
!= integration.metadata["sender"]["login"]
):
return error(request, self.active_organization)

@cursor cursor Bot Feb 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing key check causes KeyError on metadata access

High Severity

Accessing integration.metadata["sender"]["login"] without checking if "sender" exists in metadata will raise a KeyError. The build_integration method only adds "sender" to metadata when state.get("sender") is truthy, but the pipeline state stores the GitHub user as "github_authenticated_user", not "sender". When finish_pipeline calls ensure_integration, it overwrites the Integration's metadata with the output of build_integration (which lacks "sender"), stripping the sender data originally set by the webhook. On any subsequent re-linking attempt, this line crashes. The existing installation.py endpoint already guards against this with if "sender" not in integration.metadata.

Additional Locations (1)

Fix in Cursor Fix in Web

Comment thread src/sentry/integrations/github/integration.py
"code": request.GET.get("code"),
"client_id": github_client_id,
"client_secret": github_client_secret,
}

@cursor cursor Bot Feb 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OAuth token exchange omits required redirect_uri parameter

Medium Severity

The OAuth authorization redirect includes redirect_uri, but the token exchange data dict omits it. Per the OAuth 2.0 spec (RFC 6749 §4.1.3), if redirect_uri was included in the authorization request, it must also be included—with an identical value—in the token request. The codebase's own OAuth2CallbackView.get_token_params() in identity/oauth2.py follows this pattern correctly. The comments in the new code even say "similar to OAuth2CallbackView.get_token_params" but the implementation diverges by leaving out redirect_uri.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ShashankFC @oioki