Skip to content

fix(asana): filter out unsafe query strings in oauth initiation request #98496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

fix(asana): filter out unsafe query strings in oauth initiation request #98496

wants to merge 1 commit into from
+44 −0

Conversation

ameliahsu
Copy link
Member

overriding the auth_url method from the baseOAuth2 class to filter out the unsafe client_id query string

fixes https://linear.app/getsentry/issue/RTC-1114/oauth-manipulation-in-sentrys-asana-integration-leading-to-account

@linear Linear
Copy link

linear bot commented Aug 28, 2025

RTC-1114 OAuth Manipulation in Sentry's Asana Integration Leading to Account Takeover For Victim's Asana

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Aug 28, 2025
@codecov Codecov
Copy link

codecov bot commented Aug 29, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #98496      +/-   ##
==========================================
- Coverage   80.73%   80.61%   -0.12%     
==========================================
  Files        8604     8620      +16     
  Lines      381301   380757     -544     
  Branches    24710    24710              
==========================================
- Hits       307846   306954     -892     
- Misses      73077    73425     +348     
  Partials      378      378

leeandher
leeandher reviewed Aug 29, 2025
View reviewed changes
src/social_auth/backends/asana.py
Comment on lines +81 to +101
def _get_safe_query_string(self):
"""
Returns filtered query string without client_id parameter.
"""

query_string = self.request.META.get("QUERY_STRING", "")
if not query_string:
return ""

parsed_params = parse_qsl(query_string, keep_blank_values=True)
safe_params = []

for param_name, param_value in parsed_params:
# Remove client_id parameter
if param_name.lower() != "client_id":
safe_params.append((param_name, param_value))

if safe_params:
return "&" + urlencode(safe_params)
else:
return ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than implement this just for asana, I think it'd be fine to make the change on the base class (BaseOAuth2). The other implementations are both deprecated, and it'd avoid us having to redeclare auth_url.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leeandher leeandher leeandher left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ameliahsu @leeandher