Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ruff: Add and fix Q000 #10095

Merged
merged 4 commits into from
Jul 12, 2024

Update .settings.dist.py.sha256sum

edf2af3
Select commit
Loading
Failed to load commit list.
Merged

Ruff: Add and fix Q000 #10095

Update .settings.dist.py.sha256sum
edf2af3
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Authn/Authz Analyzer succeeded Jul 9, 2024 in 26s

DryRun Security

Details

Authn/Authz Analyzer Findings: 52 detected

⚠️ Potential Authn/Authz Function Used or Modified dojo/api_v2/serializers.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code snippet contains a function called validate_findings_have_same_engagement that checks if a list of Finding objects belong to the same engagement. This function is likely used as part of an authorization mechanism to ensure that users can only modify findings that are associated with the same engagement. The function is called in the context of a POST, PATCH, or PUT request, suggesting that it is part of an application's authentication and authorization logic.
Filename dojo/api_v2/serializers.py
CodeLink
raise PermissionDenied(msg)
if self.context["request"].method == "POST":
validate_findings_have_same_engagement(finding_objects)
elif self.context["request"].method in ["PATCH", "PUT"]:
existing_findings = Finding.objects.filter(risk_acceptance=self.instance.id)
existing_and_new_findings = existing_findings | finding_objects
validate_findings_have_same_engagement(existing_and_new_findings)
⚠️ Potential Authn/Authz Function Used or Modified dojo/api_v2/serializers.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authentication and authorization. The validate_findings_have_same_engagement function checks if the findings being added belong to the same engagement, which is a form of access control. Additionally, the get_authorized_findings function is used to filter the findings that the user is authorized to edit, which is also an authorization-related functionality.
Filename dojo/api_v2/serializers.py
CodeLink
def validate(self, data):
def validate_findings_have_same_engagement(finding_objects: List[Finding]):
engagements = finding_objects.values_list("test__engagement__id", flat=True).distinct().count()
if engagements > 1:
msg = "You are not permitted to add findings from multiple engagements"
raise PermissionDenied(msg)
findings = data.get("accepted_findings", [])
findings_ids = [x.id for x in findings]
finding_objects = Finding.objects.filter(id__in=findings_ids)
authed_findings = get_authorized_findings(Permissions.Finding_Edit).filter(id__in=findings_ids)
⚠️ Potential Authn/Authz Function Used or Modified dojo/api_v2/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The provided code contains a RoleViewSet class that has the IsAuthenticated permission class set. This suggests that the code is handling authentication and authorization, as the IsAuthenticated permission class is used to ensure that only authenticated users can access the corresponding view.
Filename dojo/api_v2/views.py
CodeLink
permission_classes = (IsAuthenticated,)
def get_queryset(self):
return Role.objects.all().order_by("id")
# Authorization: object-based
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains several functions that are related to authentication and authorization. The new_cred, all_cred_product, and edit_cred functions are decorated with user_is_configuration_authorized and user_is_authorized, which are likely custom decorators that handle user authorization and access control. Additionally, the login function appears to handle user authentication by checking the username and password.
Filename dojo/cred/views.py
CodeLink
@user_is_configuration_authorized(Permissions.Credential_Add)
def new_cred(request):
if request.method == "POST":
tform = CredUserForm(request.POST)
if tform.is_valid():
form_copy = tform.save(commit=False)
form_copy.password = dojo_crypto_encrypt(
tform.cleaned_data["password"])
form_copy.save()
messages.add_message(
request,
messages.SUCCESS,
"Credential Successfully Created.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("cred"))
else:
tform = CredUserForm()
add_breadcrumb(
title="New Credential", top_level=False, request=request)
return render(request, "dojo/new_cred.html", {"tform": tform})
@user_is_authorized(Product, Permissions.Product_View, "pid")
def all_cred_product(request, pid):
prod = get_object_or_404(Product, id=pid)
creds = Cred_Mapping.objects.filter(product=prod).order_by("cred_id__name")
product_tab = Product_Tab(prod, title="Credentials", tab="settings")
return render(request, "dojo/view_cred_prod.html", {"product_tab": product_tab, "creds": creds, "prod": prod})
@user_is_authorized(Cred_User, Permissions.Credential_Edit, "ttid")
def edit_cred(request, ttid):
tool_config = Cred_User.objects.get(pk=ttid)
if request.method == "POST":
tform = CredUserForm(request.POST, request.FILES, instance=tool_config)
if tform.is_valid():
form_copy = tform.save(commit=False)
form_copy.password = dojo_crypto_encrypt(
tform.cleaned_data["password"])
# handle_uploaded_selenium(request.FILES['selenium_script'], tool_config)
form_copy.save()
messages.add_message(
request,
messages.SUCCESS,
"Credential Successfully Updated.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("cred"))
else:
tool_config.password = prepare_for_view(tool_config.password)
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/queries.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The provided code appears to contain functions related to authorization. The function get_authorized_cred_mappings takes a permission parameter and uses it to retrieve authorized product type roles, product roles, product type groups, and product groups based on the user's roles. This suggests that the code is performing some form of access control or authorization to determine which users are allowed to access certain resources or perform certain actions.
Filename dojo/cred/queries.py
CodeLink
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef("product__prod_type_id"),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef("product_id"),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef("product__prod_type_id"),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef("product_id"),
group__users=user,
role__in=roles)
cred_mappings = cred_mappings.annotate(
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains several functions related to authentication and authorization. The user_is_configuration_authorized and user_is_authorized decorators are used to check if the user has the necessary permissions to access certain views. These functions are part of the authorization mechanisms of the application.
Filename dojo/cred/views.py
CodeLink
messages.add_message(
request,
messages.SUCCESS,
"Note added successfully.",
extra_tags="alert-success")
else:
form = NoteForm()
add_breadcrumb(title="View", top_level=False, request=request)
return render(request, "dojo/view_cred_details.html", {
"cred": cred,
"form": form,
"notes": notes,
"cred_products": cred_products,
})
@user_is_configuration_authorized(Permissions.Credential_View)
def cred(request):
confs = Cred_User.objects.all().order_by("name", "environment", "username")
add_breadcrumb(title="Credential Manager", top_level=True, request=request)
return render(request, "dojo/view_cred.html", {
"confs": confs,
})
@user_is_authorized(Product, Permissions.Product_View, "pid")
@user_is_authorized(Cred_User, Permissions.Credential_View, "ttid")
def view_cred_product(request, pid, ttid):
cred = get_object_or_404(
Cred_Mapping.objects.select_related("cred_id"), id=ttid)
notes = cred.cred_id.notes.all()
if request.method == "POST":
form = NoteForm(request.POST)
if form.is_valid():
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two functions, view_cred_product and view_cred_product_engagement, that appear to be related to authentication or authorization. The view_cred_product_engagement function uses the @user_is_authorized decorator, which suggests that it is checking the user's authorization to access certain resources. Additionally, the view_cred_product function checks if the user is logged in by verifying the existence of the user_id in the session.
Filename dojo/cred/views.py
CodeLink
messages.add_message(
request,
messages.SUCCESS,
"Note added successfully.",
extra_tags="alert-success")
else:
form = NoteForm()
add_breadcrumb(
title="Credential Manager", top_level=False, request=request)
cred_type = "Product"
view_link = reverse(
"view_cred_product", args=(
cred.product.id,
cred.id,
))
edit_link = reverse(
"edit_cred_product", args=(
cred.product.id,
cred.id,
))
delete_link = reverse(
"delete_cred_product", args=(
cred.product.id,
cred.id,
))
return render(
request, "dojo/view_cred_all_details.html", {
"cred": cred,
"form": form,
"notes": notes,
"cred_type": cred_type,
"edit_link": edit_link,
"delete_link": delete_link,
"view_link": view_link,
})
@user_is_authorized(Product, Permissions.Engagement_View, "eid")
@user_is_authorized(Cred_User, Permissions.Credential_View, "ttid")
def view_cred_product_engagement(request, eid, ttid):
cred = get_object_or_404(
Cred_Mapping.objects.select_related("cred_id"), id=ttid)
cred_product = Cred_Mapping.objects.filter(
cred_id=cred.cred_id.id, product=cred.engagement.product.id).first()
notes = cred.cred_id.notes.all()
if request.method == "POST":
form = NoteForm(request.POST)
if form.is_valid():
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two functions that are likely related to authentication or authorization:

1. edit_cred: This function does not directly contain any authentication or authorization logic, but it is likely part of a larger application that handles credential management, which could involve authentication and authorization.

2. view_cred_details: This function contains a decorator @user_is_authorized, which suggests that it is responsible for checking the user's authorization to view the credential details. Additionally, the function get_authorized_cred_mappings is called, which implies that the application has some form of access control mechanism in place.
Filename dojo/cred/views.py
CodeLink
top_level=False,
request=request)
return render(request, "dojo/edit_cred.html", {
"tform": tform,
})
@user_is_authorized(Cred_User, Permissions.Credential_View, "ttid")
def view_cred_details(request, ttid):
cred = Cred_User.objects.get(pk=ttid)
notes = cred.notes.all()
cred_products = Cred_Mapping.objects.select_related("product").filter(
product_id__isnull=False, cred_id=ttid).order_by("product__name")
cred_products = get_authorized_cred_mappings(Permissions.Product_View, cred_products)
if request.method == "POST":
form = NoteForm(request.POST)
if form.is_valid():
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two functions, view_cred_product_engagement and view_cred_engagement_test, which appear to be related to authentication or authorization. The view_cred_engagement_test function has two decorators, @user_is_authorized(Product, Permissions.Test_View, 'tid') and @user_is_authorized(Cred_User, Permissions.Credential_View, 'ttid'), which suggest that these functions are responsible for checking the user's authorization to access certain resources or perform certain actions.
Filename dojo/cred/views.py
CodeLink
cred_type = "Engagement"
edit_link = ""
delete_link = reverse(
"delete_cred_engagement", args=(
eid,
cred.id,
))
return render(
request, "dojo/view_cred_all_details.html", {
"cred": cred,
"form": form,
"notes": notes,
"cred_type": cred_type,
"edit_link": edit_link,
"delete_link": delete_link,
"cred_product": cred_product,
})
@user_is_authorized(Product, Permissions.Test_View, "tid")
@user_is_authorized(Cred_User, Permissions.Credential_View, "ttid")
def view_cred_engagement_test(request, tid, ttid):
cred = get_object_or_404(
Cred_Mapping.objects.select_related("cred_id"), id=ttid)
cred_product = Cred_Mapping.objects.filter(
cred_id=cred.cred_id.id,
product=cred.test.engagement.product.id).first()
notes = cred.cred_id.notes.all()
if request.method == "POST":
form = NoteForm(request.POST)
if form.is_valid():
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two decorator functions, user_is_authorized, which indicate that the functions being decorated are related to authorization and access control. The user_is_authorized decorator checks if the user has the necessary permissions to access the requested resource, which is a common pattern in authentication and authorization logic.
Filename dojo/cred/views.py
CodeLink
cred_type = "Test"
edit_link = None
delete_link = reverse(
"delete_cred_test", args=(
tid,
cred.id,
))
return render(
request, "dojo/view_cred_all_details.html", {
"cred": cred,
"form": form,
"notes": notes,
"cred_type": cred_type,
"edit_link": edit_link,
"delete_link": delete_link,
"cred_product": cred_product,
})
@user_is_authorized(Product, Permissions.Finding_View, "fid")
@user_is_authorized(Cred_User, Permissions.Credential_View, "ttid")
def view_cred_finding(request, fid, ttid):
cred = get_object_or_404(
Cred_Mapping.objects.select_related("cred_id"), id=ttid)
cred_product = Cred_Mapping.objects.filter(
cred_id=cred.cred_id.id,
product=cred.finding.test.engagement.product.id).first()
notes = cred.cred_id.notes.all()
if request.method == "POST":
form = NoteForm(request.POST)
if form.is_valid():
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authentication and authorization, specifically the new_cred_product_engagement and new_cred_engagement_test functions. These functions appear to be responsible for managing user credentials, which are a critical component of authentication and authorization mechanisms in web applications.
Filename dojo/cred/views.py
CodeLink
new_f.engagement = eng
new_f.cred_id = cred_user.cred_id
new_f.save()
message = "Credential Successfully Updated."
status_tag = "alert-success"
messages.add_message(
request, messages.SUCCESS, message, extra_tags=status_tag)
return HttpResponseRedirect(
reverse("view_engagement", args=(eid, )))
else:
tform = CredMappingForm()
tform.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
product=eng.product).order_by("cred_id")
add_breadcrumb(
title="Add Credential Configuration", top_level=False, request=request)
return render(
request, "dojo/new_cred_mapping.html", {
"tform": tform,
"eid": eid,
"formlink": reverse("new_cred_product_engagement", args=(eid, )),
})
@user_is_authorized(Test, Permissions.Test_Edit, "tid")
def new_cred_engagement_test(request, tid):
test = get_object_or_404(Test, pk=tid)
if request.method == "POST":
tform = CredMappingForm(request.POST)
tform.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=test.engagement).order_by("cred_id")
if tform.is_valid() and tform.cleaned_data["cred_user"]:
# Select the credential mapping object from the selected list and only allow if the credential is associated with the product
cred_user = Cred_Mapping.objects.filter(
pk=tform.cleaned_data["cred_user"].id,
engagement=test.engagement.id).first()
# search for cred_user and test id
cred_lookup = Cred_Mapping.objects.filter(
cred_id=cred_user.cred_id, test=test.id)
message = "Credential already associated."
status_tag = "alert-danger"
if not cred_user:
message = "Credential must first be associated with this product."
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authentication and authorization. The new_cred_product_engagement function has a decorator @user_is_authorized which indicates that it checks the user's authorization before allowing them to access the function. Additionally, the login function checks the user's credentials (username and password) to authenticate them and redirect them to the login page if authentication fails.
Filename dojo/cred/views.py
CodeLink
cred_id=tform.cleaned_data["cred_id"].id, product=pid).first()
message = "Credential already associated."
status_tag = "alert-danger"
if cred_user is None:
prod = Product.objects.get(id=pid)
new_f = tform.save(commit=False)
new_f.product = prod
new_f.save()
message = "Credential Successfully Updated."
status_tag = "alert-success"
messages.add_message(
request, messages.SUCCESS, message, extra_tags=status_tag)
return HttpResponseRedirect(reverse("all_cred_product", args=(pid, )))
else:
tform = CredMappingFormProd()
product_tab = Product_Tab(prod, title="Add Credential Configuration", tab="settings")
return render(request, "dojo/new_cred_product.html", {
"tform": tform,
"pid": pid,
"product_tab": product_tab,
})
@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
def new_cred_product_engagement(request, eid):
eng = get_object_or_404(Engagement, pk=eid)
if request.method == "POST":
tform = CredMappingForm(request.POST)
tform.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
product=eng.product).order_by("cred_id")
if tform.is_valid() and tform.cleaned_data["cred_user"]:
# Select the credential mapping object from the selected list and only allow if the credential is associated with the product
cred_user = Cred_Mapping.objects.filter(
pk=tform.cleaned_data["cred_user"].id,
product=eng.product.id).order_by("cred_id").first()
# search for cred_user and engagement id
cred_lookup = Cred_Mapping.objects.filter(
cred_id=cred_user.cred_id, engagement=eng.id)
message = "Credential already associated."
status_tag = "alert-danger"
if not cred_user:
message = "Credential must first be associated with this product."
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains several functions that are related to authentication and authorization, such as edit_cred_product, edit_cred_product_engagement, and new_cred_product. These functions use decorators like @user_is_authorized which suggest that they are involved in handling access control and permissions for various entities like Product, Cred_User, and Engagement. Additionally, the code mentions concepts like sessions and tokens, which are commonly associated with authentication and authorization mechanisms in web applications.
Filename dojo/cred/views.py
CodeLink
cred_type = "Finding"
edit_link = None
delete_link = reverse(
"delete_cred_finding", args=(
fid,
cred.id,
))
return render(
request, "dojo/view_cred_all_details.html", {
"cred": cred,
"form": form,
"notes": notes,
"cred_type": cred_type,
"edit_link": edit_link,
"delete_link": delete_link,
"cred_product": cred_product,
})
@user_is_authorized(Product, Permissions.Product_Edit, "pid")
@user_is_authorized(Cred_User, Permissions.Credential_Edit, "ttid")
def edit_cred_product(request, pid, ttid):
cred = get_object_or_404(
Cred_Mapping.objects.select_related("cred_id"), id=ttid)
prod = get_object_or_404(Product, pk=pid)
if request.method == "POST":
tform = CredMappingFormProd(request.POST, instance=cred)
if tform.is_valid():
tform.save()
messages.add_message(
request,
messages.SUCCESS,
"Credential Successfully Updated.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("all_cred_product", args=(pid, )))
else:
tform = CredMappingFormProd(instance=cred)
product_tab = Product_Tab(prod, title="Edit Product Credential", tab="settings")
return render(request, "dojo/edit_cred_all.html", {
"tform": tform,
"product_tab": product_tab,
"cred_type": "Product",
})
@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
@user_is_authorized(Cred_User, Permissions.Credential_Edit, "ttid")
def edit_cred_product_engagement(request, eid, ttid):
cred = get_object_or_404(
Cred_Mapping.objects.select_related("cred_id"), id=ttid)
eng = get_object_or_404(Engagement, pk=eid)
if request.method == "POST":
tform = CredMappingForm(request.POST, instance=cred)
if tform.is_valid():
tform.save()
messages.add_message(
request,
messages.SUCCESS,
"Credential Successfully Updated.",
extra_tags="alert-success")
return HttpResponseRedirect(
reverse("view_engagement", args=(eid, )))
else:
tform = CredMappingFormProd(instance=cred)
tform.fields["cred_id"].queryset = Cred_Mapping.objects.filter(
product=eng.product).order_by("cred_id")
add_breadcrumb(
title="Edit Credential Configuration",
top_level=False,
request=request)
return render(request, "dojo/edit_cred_all.html", {
"tform": tform,
"cred_type": "Engagement",
})
@user_is_authorized(Product, Permissions.Product_Edit, "pid")
def new_cred_product(request, pid):
prod = get_object_or_404(Product, pk=pid)
if request.method == "POST":
tform = CredMappingFormProd(request.POST)
if tform.is_valid():
# Select the credential mapping object from the selected list and only allow if the credential is associated with the product
cred_user = Cred_Mapping.objects.filter(
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two functions that are potentially related to authentication or authorization: new_cred_finding and delete_cred_controller. The new_cred_finding function appears to be handling credential-related operations, which could be part of an authentication or authorization flow. The delete_cred_controller function is decorated with @user_is_authorized, which suggests that it is involved in authorization-related functionality.
Filename dojo/cred/views.py
CodeLink
new_f.finding = finding
new_f.cred_id = cred_user.cred_id
new_f.save()
message = "Credential Successfully Updated."
status_tag = "alert-success"
messages.add_message(
request, messages.SUCCESS, message, extra_tags=status_tag)
return HttpResponseRedirect(reverse("view_finding", args=(fid, )))
else:
tform = CredMappingForm()
tform.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=finding.test.engagement).order_by("cred_id")
add_breadcrumb(
title="Add Credential Configuration", top_level=False, request=request)
return render(
request, "dojo/new_cred_mapping.html", {
"tform": tform,
"eid": fid,
"formlink": reverse("new_cred_finding", args=(fid, )),
})
@user_is_authorized(Cred_User, Permissions.Credential_Delete, "ttid")
def delete_cred_controller(request, destination_url, id, ttid):
cred = None
try:
cred = Cred_Mapping.objects.get(pk=ttid)
except:
pass
if request.method == "POST":
tform = CredMappingForm(request.POST, instance=cred)
message = ""
status_tag = ""
⚠️ Potential Authn/Authz Function Used or Modified dojo/decorators.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authentication or authorization. The Dojo_User model and the get_current_user() function suggest that the code is handling user-related functionality, which could include authentication and authorization processes.
Filename dojo/decorators.py
CodeLink
from dojo.models import Dojo_User
from dojo.utils import get_current_user
sync = kwargs.get("sync", False)
if sync:
logger.debug("dojo_async_task %s: running task in the foreground as sync=True has been found as kwarg", func)
return False
user = kwargs.get("async_user", get_current_user())
logger.debug("user: %s", user)
if Dojo_User.wants_block_execution(user):
logger.debug("dojo_async_task %s: running task in the foreground as block_execution is set to True for %s", func, user)
return False
logger.debug("dojo_async_task %s: no current user, running task in the background", func)
return True
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains several functions that have decorators such as @user_is_authorized which indicate that these functions are related to authorization and access control. The decorators check the user's permissions before allowing them to perform certain actions, such as deleting credentials, editing products, engagements, tests, and findings. This suggests that these functions are responsible for enforcing authentication and authorization mechanisms within the application.
Filename dojo/cred/views.py
CodeLink
finding = get_object_or_404(Finding, id=id)
product = finding.test.engagement.product
product_tab = Product_Tab(product, title="Delete Credential Mapping", tab="settings")
return render(request, "dojo/delete_cred_all.html", {
"tform": tform,
"product_tab": product_tab,
})
@user_is_authorized(Cred_User, Permissions.Credential_Delete, "ttid")
def delete_cred(request, ttid):
return delete_cred_controller(request, "cred", 0, ttid)
@user_is_authorized(Product, Permissions.Product_Edit, "pid")
@user_is_authorized(Cred_User, Permissions.Credential_Delete, "ttid")
def delete_cred_product(request, pid, ttid):
return delete_cred_controller(request, "all_cred_product", pid, ttid)
@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
@user_is_authorized(Cred_User, Permissions.Credential_Delete, "ttid")
def delete_cred_engagement(request, eid, ttid):
return delete_cred_controller(request, "view_engagement", eid, ttid)
@user_is_authorized(Test, Permissions.Test_Edit, "tid")
@user_is_authorized(Cred_User, Permissions.Credential_Delete, "ttid")
def delete_cred_test(request, tid, ttid):
return delete_cred_controller(request, "view_test", tid, ttid)
@user_is_authorized(Finding, Permissions.Finding_Edit, "fid")
@user_is_authorized(Cred_User, Permissions.Credential_Delete, "ttid")
def delete_cred_finding(request, fid, ttid):
return delete_cred_controller(request, "view_finding", fid, ttid)
⚠️ Potential Authn/Authz Function Used or Modified dojo/decorators.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function get_current_user() which is likely responsible for retrieving the current user's information, which is typically related to authentication or authorization processes in web applications.
Filename dojo/decorators.py
CodeLink
def __wrapper__(*args, **kwargs):
from dojo.utils import get_current_user
user = get_current_user()
kwargs["async_user"] = user
countdown = kwargs.pop("countdown", 0)
if we_want_async(*args, func=func, **kwargs):
return func.apply_async(args=args, kwargs=kwargs, countdown=countdown)
⚠️ Potential Authn/Authz Function Used or Modified dojo/decorators.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called dojo_ratelimit that appears to be related to rate limiting and user authentication. The function checks if the request is rate limited and performs actions based on the configuration, including checking the username and potentially locking out the user's account. This suggests that the code is handling some aspects of user authentication and authorization.
Filename dojo/decorators.py
CodeLink
except Exception:
print("exception occured at url:", self.driver.current_url)
print("page source:", self.driver.page_source)
f = open("/tmp/selenium_page_source.html", "w", encoding="utf-8")
f.writelines(self.driver.page_source)
# time.sleep(30)
raise
return wrapper
def dojo_ratelimit(key="ip", rate=None, method=UNSAFE, block=False):
def decorator(fn):
@wraps(fn)
def _wrapped(request, *args, **kw):
_block = getattr(settings, "RATE_LIMITER_BLOCK", block)
_rate = getattr(settings, "RATE_LIMITER_RATE", rate)
_lockout = getattr(settings, "RATE_LIMITER_ACCOUNT_LOCKOUT", False)
old_limited = getattr(request, "limited", False)
ratelimited = is_ratelimited(request=request, fn=fn,
key=key, rate=_rate, method=method,
increment=True)
request.limited = ratelimited or old_limited
if ratelimited and _block:
if _lockout:
username = request.POST.get("username", None)
if username:
dojo_user = Dojo_User.objects.filter(username=username).first()
if dojo_user:
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/queries.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The provided code contains functions that appear to be related to authentication and authorization. The get_authorized_endpoints function checks the user's permissions and roles to determine which endpoints the user is authorized to access. The function uses several database queries to retrieve the user's authorized product types, products, and associated roles. This indicates that the code is dealing with access control and authorization mechanisms, which are typically part of authentication and authorization functionalities in web applications.
Filename dojo/endpoint/queries.py
CodeLink
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef("product__prod_type_id"),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef("product_id"),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef("product__prod_type_id"),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef("product_id"),
group__users=user,
role__in=roles)
endpoints = endpoints.annotate(
⚠️ Potential Authn/Authz Function Used or Modified dojo/development_environment/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two functions that appear to be related to authentication or authorization: @login_required and @user_is_configuration_authorized. The @login_required decorator is used to require the user to be authenticated before accessing the dev_env function, which suggests that this function is related to authentication. The @user_is_configuration_authorized decorator is used to check if the user has the necessary permissions to access the add_dev_env and edit_dev_env functions, which suggests that these functions are related to authorization.
Filename dojo/development_environment/views.py
CodeLink
@login_required
def dev_env(request):
initial_queryset = Development_Environment.objects.all().order_by("name")
name_words = [de.name for de in
initial_queryset]
devs = DevelopmentEnvironmentFilter(request.GET, queryset=initial_queryset)
dev_page = get_page_items(request, devs.qs, 25)
add_breadcrumb(title="Environment List", top_level=True, request=request)
return render(request, "dojo/dev_env.html", {
"name": "Environment",
"metric": False,
"user": request.user,
"devs": dev_page,
"dts": devs,
"name_words": name_words})
@user_is_configuration_authorized("dojo.add_development_environment")
def add_dev_env(request):
form = Development_EnvironmentForm()
if request.method == "POST":
form = Development_EnvironmentForm(request.POST)
if form.is_valid():
form.save()
messages.add_message(request,
messages.SUCCESS,
"Environment added successfully.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("dev_env"))
add_breadcrumb(title="Add Environment", top_level=False, request=request)
return render(request, "dojo/new_dev_env.html", {
"name": "Add Environment",
"metric": False,
"user": request.user,
"form": form,
})
@user_is_configuration_authorized("dojo.change_development_environment")
def edit_dev_env(request, deid):
de = get_object_or_404(Development_Environment, pk=deid)
form1 = Development_EnvironmentForm(instance=de)
form2 = Delete_Dev_EnvironmentForm(instance=de)
if request.method == "POST" and request.POST.get("edit_dev_env"):
form1 = Development_EnvironmentForm(request.POST, instance=de)
if form1.is_valid():
de = form1.save()
messages.add_message(
request,
messages.SUCCESS,
"Environment updated successfully.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("dev_env"))
if request.method == "POST" and request.POST.get("delete_dev_env"):
user_has_configuration_permission_or_403(request.user, "dojo.delete_development_environment")
form2 = Delete_Dev_EnvironmentForm(request.POST, instance=de)
if form2.is_valid():
try:
de.delete()
messages.add_message(
request,
messages.SUCCESS,
"Environment deleted successfully.",
extra_tags="alert-success")
except RestrictedError as err:
messages.add_message(request,
messages.WARNING,
f"Environment cannot be deleted: {err}",
extra_tags="alert-warning")
return HttpResponseRedirect(reverse("dev_env"))
add_breadcrumb(title="Edit Environment", top_level=False, request=request)
return render(request, "dojo/edit_dev_env.html", {
"name": "Edit Environment",
"metric": False,
"user": request.user,
"form1": form1,
"de": de})
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/queries.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The provided code contains several functions related to authentication and authorization. The get_authorized_endpoint_status function checks the user's permissions and roles to determine if they are authorized to access a specific endpoint. The function uses various database queries, such as Product_Type_Member, Product_Member, Product_Type_Group, and Product_Group, to check the user's membership in different product types and products, as well as their assigned roles. These types of functions are typically part of an application's authentication and authorization mechanisms.
Filename dojo/endpoint/queries.py
CodeLink
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef("endpoint__product__prod_type_id"),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef("endpoint__product_id"),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef("endpoint__product__prod_type_id"),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef("endpoint__product_id"),
group__users=user,
role__in=roles)
endpoint_status = endpoint_status.annotate(
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called user_has_permission_or_403() which is likely responsible for checking if the user has the necessary permissions to view a particular product. This is a common pattern for implementing authorization in web applications.
Filename dojo/endpoint/views.py
CodeLink
add_breadcrumb(title=view_name, top_level=not len(request.GET), request=request)
product_tab = None
if "product" in request.GET:
p = request.GET.getlist("product", [])
if len(p) == 1:
product = get_object_or_404(Product, id=p[0])
user_has_permission_or_403(request.user, product, Permissions.Product_View)
product_tab = Product_Tab(product, view_name, tab="endpoints")
return render(
request, "dojo/endpoints.html", {
"product_tab": product_tab,
"endpoints": paged_endpoints,
"filtered": endpoints,
"name": view_name,
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains the function get_authorized_endpoints(), which suggests that the code is performing some form of authorization or access control. This function is likely responsible for determining which endpoints a user is allowed to view based on their permissions.
Filename dojo/endpoint/views.py
CodeLink
else:
endpoints = Endpoint.objects.all()
endpoints = endpoints.prefetch_related("product", "product__tags", "tags").distinct()
endpoints = get_authorized_endpoints(Permissions.Endpoint_View, endpoints, request.user)
filter_string_matching = get_system_setting("filter_string_matching", False)
filter_class = EndpointFilterWithoutObjectLookups if filter_string_matching else EndpointFilter
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains several functions that are decorated with the @user_is_authorized decorator, which indicates that these functions are related to authorization and access control. The @user_is_authorized decorator likely checks if the user making the request is authorized to perform the requested action on the given Endpoint object.
Filename dojo/endpoint/views.py
CodeLink
return render(request,
"dojo/view_endpoint.html",
{"endpoint": endpoint,
"product_tab": product_tab,
"endpoints": endpoints,
"findings": paged_findings,
"all_findings": all_findings,
"opened_per_month": monthly_counts["opened_per_period"],
"endpoint_metadata": endpoint_metadata,
"vulnerable": vulnerable,
"host_view": host_view,
})
@user_is_authorized(Endpoint, Permissions.Endpoint_View, "eid")
def view_endpoint(request, eid):
return process_endpoint_view(request, eid, host_view=False)
@user_is_authorized(Endpoint, Permissions.Endpoint_View, "eid")
def view_endpoint_host(request, eid):
return process_endpoint_view(request, eid, host_view=True)
@user_is_authorized(Endpoint, Permissions.Endpoint_View, "eid")
def edit_endpoint(request, eid):
endpoint = get_object_or_404(Endpoint, id=eid)
if request.method == "POST":
form = EditEndpointForm(request.POST, instance=endpoint)
if form.is_valid():
logger.debug("saving endpoint")
endpoint = form.save()
messages.add_message(request,
messages.SUCCESS,
"Endpoint updated successfully.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("view_endpoint", args=(endpoint.id,)))
else:
add_breadcrumb(parent=endpoint, title="Edit", top_level=False, request=request)
form = EditEndpointForm(instance=endpoint)
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a conditional check that checks whether the user is authorized to perform a certain action, and if not, an error message is added to the response. This suggests that the code is handling some form of authorization.
Filename dojo/endpoint/views.py
CodeLink
calculate_grade(prod)
if skipped_endpoint_count > 0:
add_error_message_to_response(f"Skipped deletion of {skipped_endpoint_count} endpoints because you are not authorized.")
if deleted_endpoint_count > 0:
messages.add_message(request,
messages.SUCCESS,
f"Bulk delete of {deleted_endpoint_count} endpoints was successful.",
extra_tags="alert-success")
else:
if endpoints_to_update:
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains several functions that are related to authentication and authorization, such as delete_endpoint, add_endpoint, and add_product_endpoint. These functions use various mechanisms to enforce access control restrictions, such as checking user permissions and validating user input. Additionally, the code uses the user_is_authorized decorator, which suggests that it is handling authentication and authorization-related functionality.
Filename dojo/endpoint/views.py
CodeLink
return render(request,
"dojo/edit_endpoint.html",
{"endpoint": endpoint,
"product_tab": product_tab,
"form": form,
})
@user_is_authorized(Endpoint, Permissions.Endpoint_Delete, "eid")
def delete_endpoint(request, eid):
endpoint = get_object_or_404(Endpoint, pk=eid)
product = endpoint.product
form = DeleteEndpointForm(instance=endpoint)
if request.method == "POST":
if "id" in request.POST and str(endpoint.id) == request.POST["id"]:
form = DeleteEndpointForm(request.POST, instance=endpoint)
if form.is_valid():
product = endpoint.product
endpoint.delete()
messages.add_message(request,
messages.SUCCESS,
"Endpoint and relationships removed.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("view_product", args=(product.id,)))
collector = NestedObjects(using=DEFAULT_DB_ALIAS)
collector.collect([endpoint])
rels = collector.nested()
product_tab = Product_Tab(endpoint.product, "Delete Endpoint", tab="endpoints")
return render(request, "dojo/delete_endpoint.html",
{"endpoint": endpoint,
"product_tab": product_tab,
"form": form,
"rels": rels,
})
@user_is_authorized(Product, Permissions.Endpoint_Add, "pid")
def add_endpoint(request, pid):
product = get_object_or_404(Product, id=pid)
template = "dojo/add_endpoint.html"
form = AddEndpointForm(product=product)
if request.method == "POST":
form = AddEndpointForm(request.POST, product=product)
if form.is_valid():
endpoints = form.save()
tags = request.POST.get("tags")
for e in endpoints:
e.tags = tags
e.save()
messages.add_message(request,
messages.SUCCESS,
"Endpoint added successfully.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("endpoint") + "?product=" + pid)
product_tab = Product_Tab(product, "Add Endpoint", tab="endpoints")
return render(request, template, {
"product_tab": product_tab,
"name": "Add Endpoint",
"form": form})
def add_product_endpoint(request):
form = AddEndpointForm()
if request.method == "POST":
form = AddEndpointForm(request.POST)
if form.is_valid():
user_has_permission_or_403(request.user, form.product, Permissions.Endpoint_Add)
endpoints = form.save()
tags = request.POST.get("tags")
for e in endpoints:
e.tags = tags
e.save()
messages.add_message(request,
messages.SUCCESS,
"Endpoint added successfully.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("endpoint") + f"?product={form.product.id}")
add_breadcrumb(title="Add Endpoint", top_level=False, request=request)
return render(request,
"dojo/add_endpoint.html",
{"name": "Add Endpoint",
"form": form,
})
@user_is_authorized(Endpoint, Permissions.Endpoint_Edit, "eid")
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function that checks if the user is authorized to perform a certain action. Specifically, the add_error_message_to_response function is called when the user is not authorized to update certain endpoints. This suggests that the code contains some form of authorization mechanism.
Filename dojo/endpoint/views.py
CodeLink
updated_endpoint_count = endpoints.count()
if skipped_endpoint_count > 0:
add_error_message_to_response(f"Skipped mitigation of {skipped_endpoint_count} endpoints because you are not authorized.")
eps_count = Endpoint_Status.objects.filter(endpoint__in=endpoints).update(
mitigated=True,
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/queries.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authentication and authorization. The get_authorized_engagements function checks the user's permissions and roles to determine which engagements the user is authorized to access. The function uses various Django ORM queries to filter the Product_Type_Member, Product_Member, Product_Type_Group, and Product_Group models to determine the user's authorized product types and products.
Filename dojo/engagement/queries.py
CodeLink
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef("product__prod_type_id"),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef("product_id"),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef("product__prod_type_id"),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef("product_id"),
group__users=user,
role__in=roles)
engagements = Engagement.objects.annotate(
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a reference to request.user, which suggests that it is handling user-related information and may be involved in authentication or authorization processes. The mitigated_by and mitigated_time attributes also indicate that the code is dealing with user-specific data, which is often associated with authentication or authorization functions.
Filename dojo/endpoint/views.py
CodeLink
for status in status_list:
if status in enable:
endpoint_status.__setattr__(status, True)
if status == "mitigated":
endpoint_status.mitigated_by = request.user
endpoint_status.mitigated_time = timezone.now()
else:
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called @user_is_authorized which is likely an authorization function that checks if the user has the necessary permissions to access the endpoint_status_bulk_update function. This function is typically used to enforce access control restrictions, which is a key aspect of authentication and authorization in web applications.
Filename dojo/endpoint/views.py
CodeLink
if updated_endpoint_count > 0:
messages.add_message(request,
messages.SUCCESS,
f"Bulk mitigation of {updated_endpoint_count} endpoints ({eps_count} endpoint statuses) was successful.",
extra_tags="alert-success")
else:
messages.add_message(request,
messages.ERROR,
"Unable to process bulk update. Required fields were not selected.",
extra_tags="alert-danger")
return HttpResponseRedirect(reverse("endpoint", args=()))
@user_is_authorized(Finding, Permissions.Finding_Edit, "fid")
def endpoint_status_bulk_update(request, fid):
if request.method == "POST":
post = request.POST
endpoints_to_update = post.getlist("endpoints_to_update")
status_list = ["active", "false_positive", "mitigated", "out_of_scope", "risk_accepted"]
enable = [item for item in status_list if item in list(post.keys())]
if endpoints_to_update and len(enable) > 0:
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authentication and authorization, such as get_authorized_engagements and get_authorized_users, which are likely used to control access to certain resources or functionality based on user permissions.
Filename dojo/engagement/views.py
CodeLink
@vary_on_cookie
def engagement_calendar(request):
if not get_system_setting("enable_calendar"):
raise Resolver404
if "lead" not in request.GET or "0" in request.GET.getlist("lead"):
engagements = get_authorized_engagements(Permissions.Engagement_View)
else:
filters = []
leads = request.GET.getlist("lead", "")
if "-1" in request.GET.getlist("lead"):
leads.remove("-1")
filters.append(Q(lead__isnull=True))
filters.append(Q(lead__in=leads))
engagements = get_authorized_engagements(Permissions.Engagement_View).filter(reduce(operator.or_, filters))
engagements = engagements.select_related("lead")
engagements = engagements.prefetch_related("product")
add_breadcrumb(
title="Engagement Calendar", top_level=True, request=request)
return render(
request, "dojo/calendar.html", {
"caltype": "engagements",
"leads": request.GET.getlist("lead", ""),
"engagements": engagements,
"users": get_authorized_users(Permissions.Engagement_View),
})
def get_filtered_engagements(request, view):
if view not in ["all", "active"]:
msg = f"View {view} is not allowed"
raise ValidationError(msg)
engagements = get_authorized_engagements(Permissions.Engagement_View).order_by("-target_start")
if view == "active":
engagements = engagements.filter(active=True)
engagements = engagements.select_related("product", "product__prod_type") \
.prefetch_related("lead", "tags", "product__tags")
if System_Settings.objects.get().enable_jira:
engagements = engagements.prefetch_related(
"jira_project__jira_instance",
"product__jira_project_set__jira_instance",
)
filter_string_matching = get_system_setting("filter_string_matching", False)
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authorization, specifically get_authorized_products() and get_authorized_engagements(). These functions appear to be used to filter the list of products and engagements that the user is authorized to view, which is a common authorization-related functionality in web applications.
Filename dojo/engagement/views.py
CodeLink
def engagements(request, view):
if not view:
view = "active"
filtered_engagements = get_filtered_engagements(request, view)
engs = get_page_items(request, filtered_engagements.qs, 25)
product_name_words = sorted(get_authorized_products(Permissions.Product_View).values_list("name", flat=True))
engagement_name_words = sorted(get_authorized_engagements(Permissions.Engagement_View).values_list("name", flat=True).distinct())
add_breadcrumb(
title=f"{view.capitalize()} Engagements",
top_level=not len(request.GET),
request=request)
return render(
request, "dojo/engagement.html", {
"engagements": engs,
"engagement_test_counts": get_test_counts(filtered_engagements.qs),
"filter_form": filtered_engagements.form,
"product_name_words": product_name_words,
"engagement_name_words": engagement_name_words,
"view": view.capitalize(),
})
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two functions that are related to authentication and authorization: engagements_all and edit_engagement. The engagements_all function uses the get_authorized_engagements function, which likely checks the user's permissions to access certain engagements. The edit_engagement function uses the @user_is_authorized decorator, which is likely a custom decorator that checks if the user is authorized to edit the engagement.
Filename dojo/engagement/views.py
CodeLink
prods = get_page_items(request, filtered.qs, 25)
prods.paginator.count = sum(len(prod.engagement_set.all()) for prod in prods)
name_words = products_with_engagements.values_list("name", flat=True)
eng_words = get_authorized_engagements(Permissions.Engagement_View).values_list("name", flat=True).distinct()
add_breadcrumb(
title="All Engagements",
top_level=not len(request.GET),
request=request)
return render(
request, "dojo/engagements_all.html", {
"products": prods,
"filter_form": filtered.form,
"name_words": sorted(set(name_words)),
"eng_words": sorted(set(eng_words)),
})
@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
def edit_engagement(request, eid):
engagement = Engagement.objects.get(pk=eid)
is_ci_cd = engagement.engagement_type == "CI/CD"
jira_project_form = None
jira_epic_form = None
jira_project = None
if request.method == "POST":
form = EngForm(request.POST, instance=engagement, cicd=is_ci_cd, product=engagement.product, user=request.user)
jira_project = jira_helper.get_jira_project(engagement, use_inheritance=False)
if form.is_valid():
# first save engagement details
new_status = form.cleaned_data.get("status")
engagement.product = form.cleaned_data.get("product")
engagement = form.save(commit=False)
if (new_status == "Cancelled" or new_status == "Completed"):
engagement.active = False
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called user_is_authorized which suggests that it is related to authorization and access control. This function is used as a decorator for the copy_engagement function, which means that the copy_engagement function is only accessible to users who have the necessary permissions.
Filename dojo/engagement/views.py
CodeLink
@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
def copy_engagement(request, eid):
engagement = get_object_or_404(Engagement, id=eid)
product = engagement.product
form = DoneForm()
if request.method == "POST":
form = DoneForm(request.POST)
if form.is_valid():
engagement_copy = engagement.copy()
calculate_grade(product)
messages.add_message(
request,
messages.SUCCESS,
"Engagement Copied successfully.",
extra_tags="alert-success")
create_notification(event="engagement_copied", # TODO - if 'copy' functionality will be supported by API as well, 'create_notification' needs to be migrated to place where it will be able to cover actions from both interfaces
title=_("Copying of %s") % engagement.name,
description=f'The engagement "{engagement.name}" was copied by {request.user}',
product=product,
url=request.build_absolute_uri(reverse("view_engagement", args=(engagement_copy.id, ))),
recipients=[engagement.lead],
icon="exclamation-triangle")
return redirect_to_return_url_or_else(request, reverse("view_engagements", args=(product.id, )))
else:
messages.add_message(
request,
messages.ERROR,
"Unable to copy engagement, please try again.",
extra_tags="alert-danger")
product_tab = Product_Tab(product, title="Copy Engagement", tab="engagements")
return render(request, "dojo/copy_object.html", {
"source": engagement,
"source_label": "Engagement",
"destination_label": "Product",
"product_tab": product_tab,
"form": form,
})
class ViewEngagement(View):
def get_template(self):
return "dojo/view_eng.html"
def get_risks_accepted(self, eng):
risks_accepted = eng.risk_acceptance.all().select_related("owner").annotate(accepted_findings_count=Count("accepted_findings__id"))
return risks_accepted
def get_filtered_tests(
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called 'user_has_permission_or_403' which appears to be related to authorization. This function checks if the user has the necessary permissions to perform an action, and if not, it raises a 403 Forbidden error. This suggests that the code is handling authorization-related functionality.
Filename dojo/engagement/views.py
CodeLink
form = DoneForm()
files = eng.files.all()
user_has_permission_or_403(request.user, eng, Permissions.Note_Add)
eng.progress = "check_list"
eng.save()
if note_type_activation:
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called user_has_permission_or_403 which is likely an authorization function that checks if the user has the necessary permissions to access the engagement_or_product object. This function is part of the authorization flow to ensure that the user is allowed to perform the requested action.
Filename dojo/engagement/views.py
CodeLink
product = get_object_or_404(Product, id=product_id)
engagement_or_product = product
else:
msg = "Either Engagement or Product has to be provided"
raise Exception(msg)
# Ensure the supplied user has access to import to the engagement or product
user_has_permission_or_403(user, engagement_or_product, Permissions.Import_Scan_Result)
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code appears to contain a function that processes a credentials form, which is typically used for authentication or authorization purposes. The function checks the 'cred_user' field from the form data, which suggests it may be handling user credentials or permissions.
Filename dojo/engagement/views.py
CodeLink
"""
Process the credentials form by creating
"""
if cred_user := form.cleaned_data["cred_user"]:
# Select the credential mapping object from the selected list and only allow if the credential is associated with the product
cred_user = Cred_Mapping.objects.filter(
pk=cred_user.id,
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a decorator @user_is_authorized which suggests that the complete_checklist function is related to authorization and access control. The decorator likely checks if the user making the request is authorized to perform the action on the Engagement object.
Filename dojo/engagement/views.py
CodeLink
"""
@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
def complete_checklist(request, eid):
eng = get_object_or_404(Engagement, id=eid)
try:
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two functions, close_eng and reopen_eng, that are decorated with @user_is_authorized. This decorator is likely used to check if the user is authorized to perform certain actions, such as closing or reopening an engagement. These functions are related to authentication and authorization, as they ensure that the user has the necessary permissions to perform the requested actions.
Filename dojo/engagement/views.py
CodeLink
return self.success_redirect(context)
@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
def close_eng(request, eid):
eng = Engagement.objects.get(id=eid)
close_engagement(eng)
messages.add_message(
request,
messages.SUCCESS,
"Engagement closed successfully.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("view_engagements", args=(eng.product.id, )))
@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
def reopen_eng(request, eid):
eng = Engagement.objects.get(id=eid)
reopen_engagement(eng)
messages.add_message(
request,
messages.SUCCESS,
"Engagement reopened successfully.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("view_engagements", args=(eng.product.id, )))
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called add_risk_acceptance that is decorated with @user_is_authorized, which suggests that it is related to authorization and access control. This function likely checks if the user is authorized to perform certain actions within the application.
Filename dojo/engagement/views.py
CodeLink
messages.add_message(
request,
messages.SUCCESS,
"Checklist saved.",
extra_tags="alert-success")
return HttpResponseRedirect(
reverse("view_engagement", args=(eid, )))
else:
tests = Test.objects.filter(engagement=eng)
findings = Finding.objects.filter(test__in=tests).all()
form = CheckForm(instance=checklist, findings=findings)
product_tab = Product_Tab(eng.product, title="Checklist", tab="engagements")
product_tab.setEngagement(eng)
return render(request, "dojo/checklist.html", {
"form": form,
"product_tab": product_tab,
"eid": eng.id,
"findings": findings,
})
@user_is_authorized(Engagement, Permissions.Risk_Acceptance, "eid")
def add_risk_acceptance(request, eid, fid=None):
eng = get_object_or_404(Engagement, id=eid)
finding = None
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code snippet contains a function named complete_checklist which appears to be handling a request related to a checklist. This function could potentially be involved in authentication or authorization mechanisms, as it is likely checking the user's permissions or access rights before allowing them to complete the checklist. The presence of the request parameter and the handling of the POST method suggest that this function is part of the application's access control system.
Filename dojo/engagement/views.py
CodeLink
title="Complete checklist",
top_level=False,
request=request)
if request.method == "POST":
tests = Test.objects.filter(engagement=eng)
findings = Finding.objects.filter(test__in=tests).all()
form = CheckForm(request.POST, instance=checklist, findings=findings)
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two functions, view_risk_acceptance and edit_risk_acceptance, which are decorated with @user_is_authorized. This decorator is likely used to handle authorization and access control for the associated views. Additionally, the add_risk_acceptance function contains code that checks whether the user is authorized to perform the action before proceeding, which suggests that it is also related to authentication and authorization.
Filename dojo/engagement/views.py
CodeLink
eng.risk_acceptance.add(risk_acceptance)
findings = form.cleaned_data["accepted_findings"]
risk_acceptance = ra_helper.add_findings_to_risk_acceptance(risk_acceptance, findings)
messages.add_message(
request,
messages.SUCCESS,
"Risk acceptance saved.",
extra_tags="alert-success")
return redirect_to_return_url_or_else(request, reverse("view_engagement", args=(eid, )))
else:
risk_acceptance_title_suggestion = f"Accept: {finding}"
form = RiskAcceptanceForm(initial={"owner": request.user, "name": risk_acceptance_title_suggestion})
finding_choices = Finding.objects.filter(duplicate=False, test__engagement=eng).filter(NOT_ACCEPTED_FINDINGS_QUERY).order_by("title")
form.fields["accepted_findings"].queryset = finding_choices
if fid:
form.fields["accepted_findings"].initial = {fid}
product_tab = Product_Tab(eng.product, title="Risk Acceptance", tab="engagements")
product_tab.setEngagement(eng)
return render(request, "dojo/add_risk_acceptance.html", {
"eng": eng,
"product_tab": product_tab,
"form": form,
})
@user_is_authorized(Engagement, Permissions.Engagement_View, "eid")
def view_risk_acceptance(request, eid, raid):
return view_edit_risk_acceptance(request, eid=eid, raid=raid, edit_mode=False)
@user_is_authorized(Engagement, Permissions.Risk_Acceptance, "eid")
def edit_risk_acceptance(request, eid, raid):
return view_edit_risk_acceptance(request, eid=eid, raid=raid, edit_mode=True)
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a decorator @user_is_authorized which suggests that the reinstate_risk_acceptance function is related to authorization and access control. This decorator likely checks if the user has the necessary permissions to perform the requested action on the Engagement object.
Filename dojo/engagement/views.py
CodeLink
return redirect_to_return_url_or_else(request, reverse("view_risk_acceptance", args=(eid, raid)))
@user_is_authorized(Engagement, Permissions.Risk_Acceptance, "eid")
def reinstate_risk_acceptance(request, eid, raid):
risk_acceptance = get_object_or_404(prefetch_for_expiration(Risk_Acceptance.objects.all()), pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function expire_risk_acceptance that has a decorator @user_is_authorized. This decorator suggests that the function is related to authorization, as it checks whether the user is authorized to perform a specific action (expiring a risk acceptance) based on the user's permissions.
Filename dojo/engagement/views.py
CodeLink
product_tab = Product_Tab(eng.product, title="Risk Acceptance", tab="engagements")
product_tab.setEngagement(eng)
return render(
request, "dojo/view_risk_acceptance.html", {
"risk_acceptance": risk_acceptance,
"engagement": eng,
"product_tab": product_tab,
"accepted_findings": fpage,
"notes": risk_acceptance.notes.all(),
"eng": eng,
"edit_mode": edit_mode,
"risk_acceptance_form": risk_acceptance_form,
"note_form": note_form,
"replace_form": replace_form,
"add_findings_form": add_findings_form,
# 'show_add_findings_form': len(unaccepted_findings),
"request": request,
"add_findings": add_fpage,
"return_url": get_return_url(request),
})
@user_is_authorized(Engagement, Permissions.Risk_Acceptance, "eid")
def expire_risk_acceptance(request, eid, raid):
risk_acceptance = get_object_or_404(prefetch_for_expiration(Risk_Acceptance.objects.all()), pk=raid)
# Validate the engagement ID exists before moving forward
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function delete_risk_acceptance that is decorated with @user_is_authorized. This decorator suggests that the function is responsible for checking the user's authorization to perform the requested action, which is typically a function related to authentication and authorization.
Filename dojo/engagement/views.py
CodeLink
return redirect_to_return_url_or_else(request, reverse("view_risk_acceptance", args=(eid, raid)))
@user_is_authorized(Engagement, Permissions.Risk_Acceptance, "eid")
def delete_risk_acceptance(request, eid, raid):
risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a decorator @user_is_authorized which suggests that the upload_threatmodel function is related to authorization and enforcing access control. The decorator likely checks if the user making the request is authorized to perform the action based on their permissions or role.
Filename dojo/engagement/views.py
CodeLink
"""
@user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
def upload_threatmodel(request, eid):
eng = Engagement.objects.get(id=eid)
add_breadcrumb(
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called download_risk_acceptance that is decorated with @user_is_authorized, which suggests that this function is related to authorization and access control. The user_is_authorized decorator is likely checking if the user making the request is authorized to access the specified engagement before allowing them to download the risk acceptance document.
Filename dojo/engagement/views.py
CodeLink
messages.add_message(
request,
messages.SUCCESS,
"Risk acceptance deleted successfully.",
extra_tags="alert-success")
return HttpResponseRedirect(reverse("view_engagement", args=(eng.id, )))
@user_is_authorized(Engagement, Permissions.Engagement_View, "eid")
def download_risk_acceptance(request, eid, raid):
import mimetypes
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two functions related to authentication or authorization: upload_threatmodel and view_threatmodel. The upload_threatmodel function appears to handle the upload of a threat model file, which could be considered a sensitive operation that requires authorization. The view_threatmodel function is decorated with the @user_is_authorized decorator, which suggests that it is an authorization-related function that checks if the user is authorized to view the threat model.
Filename dojo/engagement/views.py
CodeLink
top_level=False,
request=request)
if request.method == "POST":
form = UploadThreatForm(request.POST, request.FILES)
if form.is_valid():
handle_uploaded_threat(request.FILES["file"], eng)
eng.progress = "other"
eng.threat_model = True
eng.save()
messages.add_message(
request,
messages.SUCCESS,
"Threat model saved.",
extra_tags="alert-success")
return HttpResponseRedirect(
reverse("view_engagement", args=(eid, )))
else:
form = UploadThreatForm()
product_tab = Product_Tab(eng.product, title="Upload Threat Model", tab="engagements")
return render(request, "dojo/up_threat.html", {
"form": form,
"product_tab": product_tab,
"eng": eng,
})
@user_is_authorized(Engagement, Permissions.Engagement_View, "eid")
def view_threatmodel(request, eid):
eng = get_object_or_404(Engagement, pk=eid)
response = FileResponse(open(eng.tmodel_path, "rb"))
return response
@user_is_authorized(Engagement, Permissions.Engagement_View, "eid")
def engagement_ics(request, eid):
eng = get_object_or_404(Engagement, id=eid)
start_date = datetime.combine(eng.target_start, datetime.min.time())
⚠️ Potential Authn/Authz Function Used or Modified dojo/finding/helper.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The provided code contains a function called update_finding_status that checks if the user can edit mitigated data using the can_edit_mitigated_data function, which suggests that this function is related to authorization and access control.
Filename dojo/finding/helper.py
CodeLink
# marked as duplicate
# marked as original
if is_new_finding or "is_mitigated" in changed_fields:
# finding is being mitigated
if new_state_finding.is_mitigated:
# when mitigating a finding, the meta fields can only be editted if allowed
logger.debug("finding being mitigated, set mitigated and mitigated_by fields")
if can_edit_mitigated_data(user):
# only set if it was not already set by user
⚠️ Potential Authn/Authz Function Used or Modified dojo/finding/helper.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called reset_duplicate_before_delete which is likely related to authentication or authorization. The function is used to update the duplicate and duplicate_finding fields of a Finding object, which could be part of an access control mechanism in the application.
Filename dojo/finding/helper.py
CodeLink
def reset_duplicates_before_delete(qs):
mass_model_updater(Finding, qs, lambda f: reset_duplicate_before_delete(f), fields=["duplicate", "duplicate_finding"])
def set_new_original(finding, new_original):
⚠️ Potential Authn/Authz Function Used or Modified dojo/finding/queries.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authorization, specifically the get_authorized_groups function. This function takes a permission parameter and a user parameter (which can be None), and it retrieves the authorized groups based on the user's role and the requested permission. The function uses various Django models, such as Product_Type_Member, Product_Member, Product_Type_Group, and Product_Group, to determine the authorized groups for the user. This type of functionality is typically associated with authorization mechanisms in web applications.
Filename dojo/finding/queries.py
CodeLink
def get_authorized_groups(permission, user=None):
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef("test__engagement__product__prod_type_id"),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef("test__engagement__product_id"),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef("test__engagement__product__prod_type_id"),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef("test__engagement__product_id"),
group__users=user,
role__in=roles)
⚠️ Potential Authn/Authz Function Used or Modified dojo/finding/queries.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The provided Python code contains several functions that are related to authentication and authorization. The get_authorized_vulnerability_ids function is used to determine which vulnerability IDs a user is authorized to access based on their assigned roles and product/product type memberships. This function relies on various models such as Product_Type_Member, Product_Member, Product_Type_Group, and Product_Group to perform the necessary access control checks. The presence of these models and the overall structure of the function suggest that it is part of an authentication and authorization system within the web application.
Filename dojo/finding/queries.py
CodeLink
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef("finding__test__engagement__product__prod_type_id"),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef("finding__test__engagement__product_id"),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef("finding__test__engagement__product__prod_type_id"),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef("finding__test__engagement__product_id"),
group__users=user,
role__in=roles)
vulnerability_ids = vulnerability_ids.annotate(