Skip to content

Commit

Permalink
fix: only return necessary information in audit logs
Browse files Browse the repository at this point in the history
  • Loading branch information
mdtro committed Jan 14, 2025
1 parent 6c17435 commit 624ea37
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 1 deletion.
5 changes: 4 additions & 1 deletion src/sentry/api/serializers/models/auditlogentry.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,10 @@ def fix(data):
if hasattr(data["teams"][0], "id"):
data["teams"] = [t.id for t in data["teams"]]

return data
# Only return fields in the `data` field that are actually used by the frontend
# Do not add fields to this list that contain sensitive information
required_fields = {"id", "slug", "old_slug", "new_slug", "name"}
return {k: v for k, v in data.items() if k in required_fields}


def override_actor_id(user):
Expand Down
71 changes: 71 additions & 0 deletions tests/sentry/api/serializers/test_auditlogentry.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,77 @@ def test_simple(self):
assert result["event"] == "team.create"
assert result["actor"]["username"] == self.user.username
assert result["dateCreated"] == datetime
assert result["data"] == {"slug": "New Team"}

def test_data_field_filtering(self):
"""Test that only allowed fields are present in the data field"""
log = AuditLogEntry.objects.create(
organization_id=self.organization.id,
event=audit_log.get_event_id("PROJECT_EDIT"),
actor=self.user,
datetime=timezone.now(),
data={
"id": "123",
"slug": "project-slug",
"old_slug": "old-slug",
"new_slug": "new-slug",
"name": "Project Name",
"sensitive_field": "should_not_appear",
"another_field": "should_not_appear",
},
)

serializer = AuditLogEntrySerializer()
result = serialize(log, serializer=serializer)

# Check that only allowed fields are present
allowed_fields = {"id", "slug", "old_slug", "new_slug", "name"}
assert set(result["data"].keys()) == allowed_fields
assert "sensitive_field" not in result["data"]
assert "another_field" not in result["data"]

def test_data_field_empty_when_no_required_fields(self):
"""Test that data field is empty when none of the required fields are present"""
log = AuditLogEntry.objects.create(
organization_id=self.organization.id,
event=audit_log.get_event_id("PROJECT_EDIT"),
actor=self.user,
datetime=timezone.now(),
data={
"unrequired_field1": "value1",
"unrequired_field2": "value2",
},
)

serializer = AuditLogEntrySerializer()
result = serialize(log, serializer=serializer)

assert result["data"] == {}

def test_teams_conversion(self):
"""Test that teams are properly converted from objects to IDs"""

class MockTeam:
def __init__(self, id):
self.id = id

log = AuditLogEntry.objects.create(
organization_id=self.organization.id,
event=audit_log.get_event_id("PROJECT_EDIT"),
actor=self.user,
datetime=timezone.now(),
data={
"id": "123",
"slug": "project-slug",
"teams": [MockTeam(1), MockTeam(2)],
},
)

serializer = AuditLogEntrySerializer()
result = serialize(log, serializer=serializer)

assert result["data"]["teams"] == [1, 2]
assert isinstance(result["data"]["teams"][0], int)

def test_scim_logname(self):
uuid_prefix = "681d6e"
Expand Down

0 comments on commit 624ea37

Please sign in to comment.