Skip to content

locator: sign control plane requests#112

Merged
lynnagara merged 12 commits intomainfrom
control-plane-sign-requests
Jan 15, 2026
Merged

locator: sign control plane requests#112
lynnagara merged 12 commits intomainfrom
control-plane-sign-requests

Conversation

@lynnagara
Copy link
Member

@lynnagara lynnagara commented Jan 13, 2026

to match hmac auth added in getsentry/sentry#105975

markstory
markstory reviewed Jan 14, 2026
View reviewed changes
Copy link
Member

@markstory markstory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good so far.

@lynnagara lynnagara marked this pull request as ready for review January 14, 2026 23:26
@lynnagara lynnagara requested a review from a team as a code owner January 14, 2026 23:26
sentry[bot]
sentry bot reviewed Jan 14, 2026
View reviewed changes
locator/src/control_plane.rs

if let Some(secret) = &self.hmac_secret {
// For GET requests, body is empty bytes
let signature = Self::compute_hmac_signature(secret, url.path(), &[]);
Copy link

@sentry sentry bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The HMAC signature is computed using url.path(), which excludes query parameters. This will cause signature validation to fail for paginated requests that include a cursor parameter.
Severity: CRITICAL

Suggested Fix

The HMAC signature should be computed over the full request path including the query string. Instead of just url.path(), use a combination of the path and url.query() to construct the data to be signed. This ensures that the client and server are signing the exact same request components.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: locator/src/control_plane.rs#L169

Potential issue: The HMAC signature for control plane requests is calculated on line 169
using `url.path()`. However, this method from the `url` crate returns only the path
component, excluding any query parameters. For paginated requests, a `cursor` query
parameter is added to the URL. When the server receives the request, it will compute the
signature over the full path and query string, leading to a mismatch and a validation
failure. This will break the locator service's ability to sync multi-page snapshots or
incremental updates whenever pagination is required.

Did we get this right? 👍 / 👎 to inform future reviews.

Copy link
Member

@markstory markstory Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The validation side in django doesn't include the query string either.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 14, 2026
View reviewed changes
markstory
markstory approved these changes Jan 15, 2026
View reviewed changes
locator/src/control_plane.rs

if let Some(secret) = &self.hmac_secret {
// For GET requests, body is empty bytes
let signature = Self::compute_hmac_signature(secret, url.path(), &[]);
Copy link
Member

@markstory markstory Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The validation side in django doesn't include the query string either.

@lynnagara lynnagara merged commit 04aa106 into main Jan 15, 2026
12 checks passed
@lynnagara lynnagara deleted the control-plane-sign-requests branch January 15, 2026 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@markstory markstory markstory approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lynnagara @markstory

Comments