Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(crons): Use appropriate email for notifying users of broken detections/auto-mutes #69595

Merged
merged 1 commit into from
May 7, 2024
Merged

feat(crons): Use appropriate email for notifying users of broken detections/auto-mutes #69595

merged 1 commit into from
May 7, 2024

Conversation

davidenwang
Copy link
Contributor

@davidenwang davidenwang commented Apr 24, 2024
edited
Loading

If the user set up alternative email routing for the given project of a monitor via settings like this:
image

Then respect it when sending the broken monitor emails.

@davidenwang davidenwang changed the base branch from master to davidenwang/broken-monitors-owners April 24, 2024 17:51
@sentry-io Sentry.io
Copy link

sentry-io bot commented Apr 24, 2024

🔍 Existing Issues For Review

Your pull request is modifying functions with the following pre-existing issues:

📄 File: src/sentry/monitors/tasks/detect_broken_monitor_envs.py

Function Unhandled Issue
detect_broken_monitor_envs_for_org SoftTimeLimitExceeded: SoftTimeLimitExceeded() se...
Event Count: 1

Did you find this useful? React with a 👍 or 👎

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Apr 24, 2024
@davidenwang davidenwang force-pushed the davidenwang/broken-monitors-appropriate-emails branch from 0ffbc22 to 1282828 Compare April 24, 2024 19:05
@davidenwang davidenwang marked this pull request as ready for review April 24, 2024 19:09
@davidenwang davidenwang requested a review from a team as a code owner April 24, 2024 19:09
mdtro
mdtro requested changes Apr 24, 2024
View reviewed changes
Copy link
Member

@mdtro mdtro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we only send these emails to those that are verified email addresses? This has potential to be abused to spam accounts not under the user's control.

Base automatically changed from davidenwang/broken-monitors-owners to master April 25, 2024 18:35
@davidenwang
Copy link
Contributor Author

Can we only send these emails to those that are verified email addresses? This has potential to be abused to spam accounts not under the user's control.

Ahh yes we could check to make sure the email is verified, but could you elaborate more here? The user will be the one picking which email address they want communications to, so just want to understand how it might not be in their control.

@wedamija
Copy link
Member

Can we only send these emails to those that are verified email addresses? This has potential to be abused to spam accounts not under the user's control.

Ahh yes we could check to make sure the email is verified, but could you elaborate more here? The user will be the one picking which email address they want communications to, so just want to understand how it might not be in their control.

An attacker could make a bunch of accounts for users using emails they don't own, then sentry would send them a bunch of spam. We've actually had this happen before from what I remember. I wonder if the function you're calling should just be getting validated emails, since get_email_addresses calls user_service.verify_user_emails, which sounds to me like it should return validated emails only. We could discuss that with hybrid cloud

@davidenwang
Copy link
Contributor Author

Can we only send these emails to those that are verified email addresses? This has potential to be abused to spam accounts not under the user's control.

Ahh yes we could check to make sure the email is verified, but could you elaborate more here? The user will be the one picking which email address they want communications to, so just want to understand how it might not be in their control.

An attacker could make a bunch of accounts for users using emails they don't own, then sentry would send them a bunch of spam. We've actually had this happen before from what I remember. I wonder if the function you're calling should just be getting validated emails, since get_email_addresses calls user_service.verify_user_emails, which sounds to me like it should return validated emails only. We could discuss that with hybrid cloud

Ahh I see now ty @wedamija @mdtro for the headsup, yea we should definitely guard against this. Reached out to hybrid cloud but they don't seem to have opinions about this since they just ported the code over to make it silo-safe. Will probably add a parameter to get_email_addresses to only return emails if they are verified and run it by the alert folks.

@davidenwang davidenwang mentioned this pull request Apr 30, 2024
Merged
@davidenwang davidenwang force-pushed the davidenwang/broken-monitors-appropriate-emails branch from 1282828 to 22cd79c Compare April 30, 2024 02:32
@davidenwang davidenwang changed the base branch from master to davidenwang/only-verified-argument April 30, 2024 02:33
@davidenwang davidenwang requested a review from mdtro April 30, 2024 02:33
@codecov Codecov
Copy link

codecov bot commented Apr 30, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.89%. Comparing base (5325518) to head (55f5eb5).
Report is 227 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #69595      +/-   ##
==========================================
+ Coverage   79.82%   79.89%   +0.06%     
==========================================
  Files        6495     6499       +4     
  Lines      288943   289669     +726     
  Branches    49759    49877     +118     
==========================================
+ Hits       230661   231436     +775     
+ Misses      57886    57837      -49     
  Partials      396      396
Files Coverage Δ
...entry/monitors/tasks/detect_broken_monitor_envs.py 94.28% <100.00%> (+0.05%) ⬆️

... and 191 files with indirect coverage changes

Base automatically changed from davidenwang/only-verified-argument to master April 30, 2024 18:39
davidenwang pushed a commit that referenced this pull request Apr 30, 2024
ref(email): Add only-verified parameter to get_email_addresses (#69940)
5325518 
Follow up to #69812, and
necessary for #69595
@davidenwang davidenwang force-pushed the davidenwang/broken-monitors-appropriate-emails branch from 22cd79c to 64bf5ca Compare April 30, 2024 18:39
@davidenwang davidenwang force-pushed the davidenwang/broken-monitors-appropriate-emails branch from 64bf5ca to 0de2e66 Compare May 1, 2024 17:55
@davidenwang davidenwang force-pushed the davidenwang/broken-monitors-appropriate-emails branch from 0de2e66 to 55f5eb5 Compare May 3, 2024 22:13
@davidenwang davidenwang requested a review from wedamija May 3, 2024 22:14
@davidenwang davidenwang merged commit 82a42bd into master May 7, 2024
49 checks passed
@davidenwang davidenwang deleted the davidenwang/broken-monitors-appropriate-emails branch May 7, 2024 18:18
@github-actions github-actions bot locked and limited conversation to collaborators May 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mdtro mdtro mdtro approved these changes

@evanpurkhiser evanpurkhiser evanpurkhiser approved these changes

@wedamija wedamija Awaiting requested review from wedamija

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@davidenwang @wedamija @evanpurkhiser @mdtro