Page MenuHomePhabricator

Investigate if the XSS vulnerability addressed in Sentry 7.6.1 affects us
Closed, ResolvedPublic

Description

Today we're releasing Sentry 7.6.1 and 7.5.5 which include an XSS hotfix related to rendering low cardinality tags in the stream filters.
This vulnerability affects many historical versions, and its out of scope to attempt to list them all.
We recommend upgrading as this vulnerability is exposed to users in many situations, even without using the JavaScript client.
The specific commit which addresses the issue is here:
https://github.com/getsentry/sentry/commit/364b959811561de83f29893e105cc590224edbee

(source)

Low priority right now because Sentry is only used in test installations but blocks future deployments. Currently we use 6.4.4 on sentry-beta and 7.4.3 in the puppet roles.

Event Timeline

Tgr created this task.Jul 9 2015, 5:35 PM
Tgr claimed this task.
Tgr raised the priority of this task from to Normal.
Tgr updated the task description. (Show Details)
Tgr added projects: Sentry, Security-Other.
Tgr added a subscriber: Tgr.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2015, 5:35 PM
Tgr renamed this task from Investigate if the XSS vulnerability addressed in Sentry 7.6.1 affects as to Investigate if the XSS vulnerability addressed in Sentry 7.6.1 affects us.Jul 9 2015, 5:35 PM
Tgr set Security to None.
Tgr added a comment.Jul 9 2015, 7:23 PM
11:44 < davidcramer> tgr: $ raven test --tags='{"test": "http://<script>alert(1)</script>"}' http://2be6fb616b3d4901ada3836176d94043:ad15a8a4eae84369bf26fce93c1c9ef5@localhost:8000/37
11:45 < davidcramer> and then hit your stream
11:45 < davidcramer> obv change the DSN
11:45 < davidcramer> once you click the “test” tag itll show the alert
11:45 < davidcramer> this probably affects versions dating back many years
11:45 < davidcramer> well, at least when we intro’d select2
Tgr added a comment.Jul 10 2015, 12:45 AM

sentry-beta is affected (so then probably everything else as well).

Change 225561 had a related patch set uploaded (by Gergő Tisza):
Update Sentry: 7.4.3 -> 7.6.2

https://gerrit.wikimedia.org/r/225561

Change 225827 had a related patch set uploaded (by Gergő Tisza):
[WIP] Version update: 7.4.3 -> 7.6.2

https://gerrit.wikimedia.org/r/225827

Change 225827 merged by Ori.livneh:
Version update: 7.4.3 -> 7.6.2

https://gerrit.wikimedia.org/r/225827

Change 225561 merged by jenkins-bot:
Update Sentry: 7.4.3 -> 7.6.2

https://gerrit.wikimedia.org/r/225561

Tgr closed this task as Resolved.Jul 30 2015, 5:35 AM