feat(supergroups): add group id to supergroup lookup endpoint#111265
feat(supergroups): add group id to supergroup lookup endpoint#111265
Conversation
github-actions
bot
added
Scope: Backend
|
🚨 Warning: This pull request contains Frontend and Backend changes! It's discouraged to make changes to Sentry's Frontend and Backend in a single pull request. The Frontend and Backend are not atomically deployed. If the changes are interdependent of each other, they must be separated into two pull requests and be made forward or backwards compatible, such that the Backend or Frontend can be safely deployed independently. Have questions? Please ask in the |
![sentry-warden[bot]](https://avatars.githubusercontent.com/in/2755838?s=60&v=4){kind=small}
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| r"^(?P<organization_id_or_slug>[^/]+)/seer/supergroups/by-group/$", | ||
| OrganizationSupergroupsByGroupEndpoint.as_view(), | ||
| name="sentry-api-0-organization-supergroups-by-group", | ||
| ), |
There was a problem hiding this comment.
i don't think the IDOR is correct since the risk is that someone can craft a query that access groups outside of their organization. but they can't do that because the endpoint takes the organization auth token, so they'd have to already have access to the other organization. since group ids are unique across organizations, they couldn't query using their organization + another organization's group ids, since that combination would never be valid.
There was a problem hiding this comment.
I think you're checking that they have access to this organization but you aren't checking they have access to the group ids being passed
There was a problem hiding this comment.
ah i see — i think it wouldn't matter, since we filter in seer by org + group_id. i'll add a check here just in case
| status=response.status, | ||
| ) | ||
|
|
||
| return Response(orjson.loads(response.data)) |
There was a problem hiding this comment.
Unhandled JSONDecodeError when parsing Seer API response
The orjson.loads(response.data) call at line 84 does not catch JSONDecodeError. Other Seer API handlers in the codebase explicitly handle this exception because Seer can return HTML error pages instead of JSON even with non-4xx status codes. If Seer returns invalid JSON (e.g., an HTML error page or truncated response), this endpoint will raise an unhandled exception and return a 500 error to the user.
Verification
Read src/sentry/seer/similarity/similar_issues.py which shows JSONDecodeError handling with comment 'caused by Seer erroring out and sending back the error page HTML'. Also verified multiple other Seer API handlers (compare.py, get_historical_anomalies.py, store_data.py, autofix/utils.py) all wrap JSON parsing in try/except JSONDecodeError. The existing organization_supergroups.py has the same gap.
Identified by Warden sentry-backend-bugs · A79-VL7
…okup Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>
cvxluo
force-pushed
the
cvxluo/add-by-group-endpoint-for-group-id-supergroup-look
branch
from
009d2c8 to
bad40dd
Compare
cvxluo
deleted the
cvxluo/add-by-group-endpoint-for-group-id-supergroup-look
branch
Switch from the general supergroups endpoint with a query string to the new dedicated by-group endpoint that accepts group_id params directly. This aligns with the backend endpoint added in #111265. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2 participants
New endpoint similar to the other supergroup ones to specifically fetch supergroups by a list of group ids.