fix(api): Validate more user-provided int ids

src/sentry/api/endpoints/debug_files.py

@@ -55,6 +55,7 @@
     set_assemble_status,
 )
 from sentry.utils.db import atomic_transaction
+from sentry.workflow_engine.endpoints.utils.ids import to_valid_int_id
 
 logger = logging.getLogger("sentry.api")
 ERR_FILE_EXISTS = "A file matching this debug identifier already exists"
@@ -258,7 +259,7 @@ def get(self, request: Request, project: Project) -> Response:
         """
         download_requested = request.GET.get("id") is not None
         if download_requested and has_download_permission(request, project):
-            return self.download(request.GET.get("id"), project)
+            return self.download(to_valid_int_id("id", request.GET["id"], raise_404=True), project)
         elif download_requested:
             return Response(status=403)
 
@@ -356,9 +357,10 @@ def delete(self, request: Request, project: Project) -> Response:
         """
         debug_file_id = request.GET.get("id")
         if debug_file_id and _has_delete_permission(request.access, project):
+            validated_id = to_valid_int_id("id", debug_file_id, raise_404=True)
             with atomic_transaction(using=router.db_for_write(File)):
                 debug_file = (
-                    ProjectDebugFile.objects.filter(id=debug_file_id, project_id=project.id)
+                    ProjectDebugFile.objects.filter(id=validated_id, project_id=project.id)
                     .select_related("file")
                     .first()
                 )

src/sentry/integrations/api/endpoints/data_forwarding_details.py

@@ -35,6 +35,7 @@
     RpcUserOrganizationContext,
 )
 from sentry.web.decorators import set_referrer_policy
+from sentry.workflow_engine.endpoints.utils.ids import to_valid_int_id
 
 
 class OrganizationDataForwardingDetailsPermission(OrganizationPermission):
@@ -73,7 +74,7 @@ def convert_args(
         self,
         request: Request,
         organization_id_or_slug: int | str,
-        data_forwarder_id: int,
+        data_forwarder_id: int | str,
         *args,
         **kwargs,
     ):
@@ -86,7 +87,7 @@ def convert_args(
 
         try:
             data_forwarder = DataForwarder.objects.get(
-                id=data_forwarder_id,
+                id=to_valid_int_id("data_forwarder_id", data_forwarder_id, raise_404=True),
                 organization=kwargs["organization"],
             )
         except DataForwarder.DoesNotExist:

src/sentry/integrations/api/endpoints/external_user_details.py

@@ -24,6 +24,7 @@
 from sentry.integrations.api.serializers.models.external_actor import ExternalActorSerializer
 from sentry.integrations.models.external_actor import ExternalActor
 from sentry.models.organization import Organization
+from sentry.workflow_engine.endpoints.utils.ids import to_valid_int_id
 
 logger = logging.getLogger(__name__)
 
@@ -42,13 +43,14 @@ def convert_args(
         self,
         request: Request,
         organization_id_or_slug: int | str,
-        external_user_id: int,
+        external_user_id: int | str,
         *args: Any,
         **kwargs: Any,
     ) -> tuple[tuple[Any, ...], dict[str, Any]]:
         args, kwargs = super().convert_args(request, organization_id_or_slug, *args, **kwargs)
         kwargs["external_user"] = self.get_external_actor_or_404(
-            external_user_id, kwargs["organization"]
+            to_valid_int_id("external_user_id", external_user_id, raise_404=True),
+            kwargs["organization"],
         )
         return args, kwargs
 

src/sentry/integrations/api/endpoints/organization_repository_commits.py

@@ -20,6 +20,7 @@
 from sentry.apidocs.utils import inline_sentry_response_serializer
 from sentry.models.commit import Commit
 from sentry.models.repository import Repository
+from sentry.workflow_engine.endpoints.utils.ids import to_valid_int_id
 
 
 @cell_silo_endpoint
@@ -73,7 +74,10 @@ def get(self, request: Request, organization, repo_id) -> Response:
         List a Repository's Commits
         """
         try:
-            repo = Repository.objects.get(id=repo_id, organization_id=organization.id)
+            repo = Repository.objects.get(
+                id=to_valid_int_id("repo_id", repo_id, raise_404=True),
+                organization_id=organization.id,
+            )
         except Repository.DoesNotExist:
             raise ResourceDoesNotExist
 

src/sentry/notifications/api/endpoints/notification_actions_details.py

@@ -27,6 +27,7 @@
     OutgoingNotificationActionSerializer,
 )
 from sentry.notifications.models.notificationaction import NotificationAction
+from sentry.workflow_engine.endpoints.utils.ids import to_valid_int_id
 
 logger = logging.getLogger(__name__)
 
@@ -50,13 +51,16 @@ class NotificationActionsDetailsEndpoint(OrganizationEndpoint):
 
     permission_classes = (NotificationActionsPermission,)
 
-    def convert_args(self, request: Request, action_id: int, *args, **kwargs):
+    def convert_args(self, request: Request, action_id: int | str, *args, **kwargs):
         parsed_args, parsed_kwargs = super().convert_args(request, *args, **kwargs)
         organization = parsed_kwargs["organization"]
 
         # Get the relevant action associated with the organization and request
         try:
-            action = NotificationAction.objects.get(id=action_id, organization_id=organization.id)
+            action = NotificationAction.objects.get(
+                id=to_valid_int_id("action_id", action_id, raise_404=True),
+                organization_id=organization.id,
+            )
         except NotificationAction.DoesNotExist:
             raise ResourceDoesNotExist
 

src/sentry/workflow_engine/endpoints/validators/alertrule_workflow.py

@@ -4,9 +4,9 @@
 
 
 class AlertRuleWorkflowValidator(serializers.Serializer[Any]):
-    rule_id = serializers.CharField(required=False)
-    alert_rule_id = serializers.CharField(required=False)
-    workflow_id = serializers.CharField(required=False)
+    rule_id = serializers.IntegerField(required=False, min_value=1)
+    alert_rule_id = serializers.IntegerField(required=False, min_value=1)
+    workflow_id = serializers.IntegerField(required=False, min_value=1)
 
     def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
         super().validate(attrs)

tests/sentry/workflow_engine/endpoints/test_organization_alertrule_workflow.py

@@ -63,11 +63,25 @@ def test_get_with_multiple_filters(self) -> None:
 
         assert response.data == serialize(self.alert_rule_workflow_1, self.user)
 
-    def test_get_with_multiple_filters_with_invalid_filter(self) -> None:
+    def test_get_with_non_integer_workflow_id(self) -> None:
         self.get_error_response(
             self.organization.slug,
-            workflow_id=str(self.workflow_1.id),
-            alert_rule_id="this is not a valid ID",
+            workflow_id="not-an-integer",
+            status_code=400,
+        )
+
+    def test_get_with_non_integer_alert_rule_id(self) -> None:
+        self.get_error_response(
+            self.organization.slug,
+            alert_rule_id="not-an-integer",
+            status_code=400,
+        )
+
+    def test_get_with_non_integer_rule_id(self) -> None:
+        self.get_error_response(
+            self.organization.slug,
+            rule_id="not-an-integer",
+            status_code=400,
         )
 
     def test_get_with_nonexistent_workflow_id(self) -> None: