Skip to content

fix(vercel): Adds signature check to vercel delete endpoint#109974

Merged
Christinarlong merged 4 commits intomasterfrom
crl/fix-VULN-1153-vercel
Mar 10, 2026
Merged

fix(vercel): Adds signature check to vercel delete endpoint#109974
Christinarlong merged 4 commits intomasterfrom
crl/fix-VULN-1153-vercel

Conversation

@Christinarlong
Copy link
Contributor

@Christinarlong Christinarlong commented Mar 5, 2026
edited by atlassian bot
Loading

Currently we're not doing a signature check on requests on the delete endpoint for vercel

Fixes VULN-1153

@linear-code
Copy link

linear-code bot commented Mar 5, 2026

VULN-1153 Unauthenticated Vercel uninstall webhook (DELETE) lacks signature verification

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Mar 5, 2026
@Christinarlong Christinarlong marked this pull request as ready for review March 5, 2026 21:30
@Christinarlong Christinarlong requested review from a team as code owners March 5, 2026 21:30
@Christinarlong Christinarlong requested a review from a team March 5, 2026 21:30
michelletran-sentry
michelletran-sentry reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

@michelletran-sentry michelletran-sentry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since all the endpoints in VercelWebhookEndpoint require signature validation, thoughts on creating a custom authentication class for this REST resource?

Maybe something like:

class VercelSignatureAuthentication(authentication.BaseAuthentication):
    def authenticate(self, request: Request) -> tuple[Any, Any]:
        if not verify_signature(request):
            raise AuthenticationFailed("Invalid signature.")
        return None

@github-actions
Copy link
Contributor

github-actions bot commented Mar 9, 2026

Backend Test Failures

Failures on f1b800e in this run:

tests/sentry/integrations/vercel/test_webhook.py::SignatureVercelTest::test_getlog 
tests/sentry/integrations/vercel/test_webhook.py:30: in test_get
    assert response.status_code == 405
E   assert 401 == 405
E    +  where 401 = <Response status_code=401, "application/json">.status_code

sentry-warden[bot]
sentry-warden bot reviewed Mar 9, 2026
View reviewed changes
michelletran-sentry
michelletran-sentry approved these changes Mar 10, 2026
View reviewed changes
Copy link
Contributor

@michelletran-sentry michelletran-sentry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@Christinarlong Christinarlong merged commit 1e9293e into master Mar 10, 2026
55 checks passed
@Christinarlong Christinarlong deleted the crl/fix-VULN-1153-vercel branch March 10, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry-warden sentry-warden[bot] sentry-warden[bot] left review comments

@michelletran-sentry michelletran-sentry michelletran-sentry approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Christinarlong @michelletran-sentry