Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

delete session security fix #560

Closed
wants to merge 18 commits into from
Closed

delete session security fix #560

wants to merge 18 commits into from

Conversation

JerrySentry
Copy link
Contributor

@JerrySentry JerrySentry commented May 13, 2024
edited
Loading

fixes: https://github.com/codecov/internal-issues/issues/469

Only allow sessions to be deleted if they are belonging to the authenticated user.

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. In 2022 this entity acquired Codecov and as result Sentry is going to need some rights from me in order to utilize my contributions in this PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

@JerrySentry JerrySentry requested a review from a team as a code owner May 13, 2024 18:34
@codecov-notifications
Copy link

codecov-notifications bot commented May 13, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@codecov-qa
Copy link

codecov-qa bot commented May 13, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.33%. Comparing base (83a5577) to head (2425b6f).

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #560   +/-   ##
=======================================
  Coverage   91.32%   91.33%           
=======================================
  Files         599      599           
  Lines       15940    15951   +11     
=======================================
+ Hits        14558    14569   +11     
  Misses       1382     1382
Flag Coverage Δ
unit 91.33% <100.00%> (+<0.01%) ⬆️
unit-latest-uploader 91.33% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@codecov-public-qa Codecov Public QA
Copy link

codecov-public-qa bot commented May 13, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.33%. Comparing base (83a5577) to head (2425b6f).

✅ All tests successful. No failed tests found ☺️

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #560   +/-   ##
=======================================
  Coverage   91.32%   91.33%           
=======================================
  Files         599      599           
  Lines       15940    15951   +11     
=======================================
+ Hits        14558    14569   +11     
  Misses       1382     1382
Flag Coverage Δ
unit 91.33% <100.00%> (+<0.01%) ⬆️
unit-latest-uploader 91.33% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
api/shared/permissions.py 98.90% <100.00%> (+0.06%) ⬆️
..._auth/commands/owner/interactors/delete_session.py 100.00% <100.00%> (ø)

Impacted file tree graph

JerrySentry
JerrySentry commented May 13, 2024
View reviewed changes
api/shared/permissions.py
@@ -1,13 +1,15 @@
import logging
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Entire file is ruff and mypy changes

@codecov Codecov
Copy link

codecov bot commented May 13, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.82%. Comparing base (83a5577) to head (1472777).

❗ Current head 1472777 differs from pull request most recent head 2425b6f. Consider uploading reports for the commit 2425b6f to get more accurate results

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@          Coverage Diff          @@
##            main    #560   +/-   ##
=====================================
  Coverage   95.82   95.82           
=====================================
  Files        777     777           
  Lines      17258   17269   +11     
=====================================
+ Hits       16537   16548   +11     
  Misses       721     721
Flag Coverage Δ
unit 91.33% <100.00%> (+<0.01%) ⬆️
unit-latest-uploader 91.33% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ajay-sentry
ajay-sentry reviewed May 14, 2024
View reviewed changes
codecov_auth/commands/owner/interactors/delete_session.py
if not self.current_user.is_authenticated:
raise Unauthenticated()

@sync_to_async
def execute(self, sessionid: int):
def execute(self, sessionid: int) -> None:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought there was a mypy rule that makes "return as none" implicit if no type is presented?

I could see it either way tho, related thread here: python/mypy#7511

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah we added the warn_no_return to the tests, I think we shouldn't have that for these files. Its not always obvious a function returns None or not, unlike test functions.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah fair enough, Im good to keep as is

ajay-sentry
ajay-sentry reviewed May 14, 2024
View reviewed changes
codecov_auth/tests/unit/views/test_okta.py
from codecov_auth.views.okta import auth as okta_basic_auth
from codecov_auth.views.okta import validate_id_token
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how come we split this to a separate line?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Uh ruff did that..

@JerrySentry JerrySentry added this pull request to the merge queue May 14, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks May 14, 2024
JerrySentry and others added 9 commits May 15, 2024 11:07
@JerrySentry
remove wrong thing
83f517d 
Signed-off-by: JerrySentry <jerry.feng@sentry.io>
@JerrySentry
add typing
eff8365 
Signed-off-by: JerrySentry <jerry.feng@sentry.io>
@JerrySentry
rename var
722f8d7 
Signed-off-by: JerrySentry <jerry.feng@sentry.io>
@JerrySentry
handle non existent sessions
92130f2 
Signed-off-by: JerrySentry <jerry.feng@sentry.io>
@JerrySentry
add another test
53ff7fe 
Signed-off-by: JerrySentry <jerry.feng@sentry.io>
@ajay-sentry @JerrySentry
update workflows to latest (#556)
389bbdb 
Signed-off-by: JerrySentry <jerry.feng@sentry.io>
@nora-codecov @JerrySentry
remove troubleshooting logs (#557)
8e145b7 
* adding logs for debugging

* change log level from debug to info

* make token slice safer

* remove troubleshooting logs

Signed-off-by: JerrySentry <jerry.feng@sentry.io>
@adrian-codecov @JerrySentry
fix scheduled details key w/ stripe version upgrade (#563)
6eb717e 
* fix scheduled details key w/ stripe version upgrade

* add other test case

* remove print

Signed-off-by: JerrySentry <jerry.feng@sentry.io>
@JerrySentry
Merge branch 'may_13_session' of github.com:codecov/codecov-api into …
2425b6f 
…may_13_session
auto-merge was automatically disabled May 15, 2024 15:41

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajay-sentry ajay-sentry ajay-sentry approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@JerrySentry @ajay-sentry @nora-codecov @adrian-codecov