Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release: Merge back 2.36.6 into dev from: master-into-dev/2.36.6-2.37.0-dev #10648

Merged
merged 19 commits into from
Jul 29, 2024

Fixing ruff

11171d8
Select commit
Loading
Failed to load commit list.
Merged

Release: Merge back 2.36.6 into dev from: master-into-dev/2.36.6-2.37.0-dev #10648

Fixing ruff
11171d8
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Authn/Authz Analyzer succeeded Jul 29, 2024 in 12s

DryRun Security

Details

Authn/Authz Analyzer Findings: 13 detected

⚠️ Potential Authn/Authz Function Used or Modified dojo/api_v2/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a comment that mentions 'Authorization: authenticated, configuration', which suggests that there are authentication or authorization mechanisms being used in the application. The download_file function may be part of an authentication or authorization flow, as it checks for a file ID associated with a test before returning the file object.
Filename dojo/api_v2/views.py
CodeLink

django-DefectDojo/dojo/api_v2/views.py

Lines 2294 to 2301 in 11171d8

{"error": "File ID not associated with Test"},
status=status.HTTP_404_NOT_FOUND,
)
# send file
return generate_file_response(file_object)
# Authorization: authenticated, configuration
⚠️ Potential Authn/Authz Function Used or Modified dojo/benchmark/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a decorator @user_is_authorized which is likely a custom function used for authorization checks. This decorator is applied to the update_benchmark_summary function, indicating that it is a sensitive function related to authorization and access control.
Filename dojo/benchmark/views.py
CodeLink

django-DefectDojo/dojo/benchmark/views.py

Lines 91 to 97 in 11171d8

)
@user_is_authorized(Product, Permissions.Benchmark_Edit, "pid")
def update_benchmark_summary(request, pid, _type, summary):
if request.method == "POST":
field = request.POST.get("field")
⚠️ Potential Authn/Authz Function Used or Modified dojo/apps.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains imports for several modules that are likely related to authentication or authorization, such as 'dojo.cred.signals', 'dojo.notes.signals', and 'dojo.risk_acceptance.signals'. These module names suggest that they may contain functions or logic related to user credentials, notes, and risk acceptance, which are often part of authentication and authorization mechanisms in web applications.
Filename dojo/apps.py
CodeLink

django-DefectDojo/dojo/apps.py

Lines 72 to 90 in 11171d8

# Load any signals here that will be ready for runtime
# Importing the signals file is good enough if using the reciever decorator
import dojo.announcement.signals # noqa: F401
import dojo.benchmark.signals # noqa: F401
import dojo.cred.signals # noqa: F401
import dojo.endpoint.signals # noqa: F401
import dojo.engagement.signals # noqa: F401
import dojo.finding_group.signals # noqa: F401
import dojo.notes.signals # noqa: F401
import dojo.product.signals # noqa: F401
import dojo.product_type.signals # noqa: F401
import dojo.risk_acceptance.signals # noqa: F401
import dojo.sla_config.helpers # noqa: F401
import dojo.tags_signals # noqa: F401
import dojo.test.signals # noqa: F401
import dojo.tool_product.signals # noqa: F401
def get_model_fields_with_extra(model, extra_fields=()):
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a reference to request.user.username, which suggests that it is retrieving information about the currently authenticated user. This indicates that the code is related to authentication or authorization functionality.
Filename dojo/cred/views.py
CodeLink

django-DefectDojo/dojo/cred/views.py

Lines 113 to 119 in 11171d8

"form": form,
"notes": notes,
"cred_products": cred_products,
"person": request.user.username,
})
⚠️ Potential Authn/Authz Function Used or Modified dojo/benchmark/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a decorator @user_is_authorized which is likely a custom function that checks if the user is authorized to perform a certain action (in this case, edit a benchmark). This suggests that the code contains functions related to authentication and authorization.
Filename dojo/benchmark/views.py
CodeLink

django-DefectDojo/dojo/benchmark/views.py

Lines 43 to 49 in 11171d8

pass
@user_is_authorized(Product, Permissions.Benchmark_Edit, "pid")
def update_benchmark(request, pid, _type):
if request.method == "POST":
bench_id = request.POST.get("bench_id")
⚠️ Potential Authn/Authz Function Used or Modified dojo/cred/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two functions that are likely related to authentication or authorization: delete_cred and user_is_authorized. The delete_cred function appears to be a wrapper function that checks the authorization of the user before allowing them to delete a credential. The user_is_authorized function is likely a decorator that enforces authorization checks on the decorated functions, which suggests that it is part of an authentication or authorization system.
Filename dojo/cred/views.py
CodeLink

django-DefectDojo/dojo/cred/views.py

Lines 670 to 676 in 11171d8

@user_is_authorized(Cred_User, Permissions.Credential_Delete, "ttid")
def delete_cred(request, ttid):
return delete_cred_controller(request, "cred", 0, ttid=ttid)
@user_is_authorized(Product, Permissions.Product_Edit, "pid")
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/signals.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains imports and function definitions related to authentication and authorization functionalities. The LogEntry model from the auditlog.models module is typically used for tracking user actions and access, which is an important part of authentication and authorization systems. Additionally, the post_delete, post_save, pre_delete, and pre_save signals from django.db.models.signals are often used to perform actions related to user authentication and authorization, such as logging changes or sending notifications.
Filename dojo/engagement/signals.py
CodeLink

django-DefectDojo/dojo/engagement/signals.py

Lines 1 to 13 in 11171d8

from auditlog.models import LogEntry
from django.conf import settings
from django.contrib.contenttypes.models import ContentType
from django.db.models.signals import post_delete, post_save, pre_delete, pre_save
from django.dispatch import receiver
from django.urls import reverse
from django.utils.translation import gettext as _
from dojo.models import Engagement
from dojo.notes.helper import delete_related_notes
from dojo.notifications.helper import create_notification
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function call user_has_permission_or_403() which is likely an authorization function that checks if the user making the request has the necessary permissions to access the requested resource (in this case, the engagement).
Filename dojo/engagement/views.py
CodeLink

django-DefectDojo/dojo/engagement/views.py

Lines 440 to 447 in 11171d8

def get(self, request, eid, *args, **kwargs):
eng = get_object_or_404(Engagement, id=eid)
# Make sure the user is authorized
user_has_permission_or_403(request.user, eng, Permissions.Engagement_View)
tests = eng.test_set.all().order_by("test_type__name", "-updated")
default_page_num = 10
tests_filter = self.get_filtered_tests(request, tests, eng)
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code includes a user_has_permission_or_403 function call, which is likely related to authorization or access control. This function checks if the user has the necessary permissions to access the Engagement object. Functions that perform such access control checks are considered to be related to authentication or authorization.
Filename dojo/engagement/views.py
CodeLink

django-DefectDojo/dojo/engagement/views.py

Lines 509 to 517 in 11171d8

def post(self, request, eid, *args, **kwargs):
eng = get_object_or_404(Engagement, id=eid)
# Make sure the user is authorized
user_has_permission_or_403(request.user, eng, Permissions.Engagement_View)
tests = eng.test_set.all().order_by("test_type__name", "-updated")
default_page_num = 10
tests_filter = self.get_filtered_tests(request, tests, eng)
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains the @user_is_authorized decorator, which is likely used for authorization purposes. This decorator is applied to the download_risk_acceptance function, indicating that the function is related to access control or authorization.
Filename dojo/engagement/views.py
CodeLink

django-DefectDojo/dojo/engagement/views.py

Lines 1480 to 1490 in 11171d8

@user_is_authorized(Engagement, Permissions.Engagement_View, "eid")
def download_risk_acceptance(request, eid, raid):
mimetypes.init()
risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid)
# Ensure the risk acceptance is under the supplied engagement
if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists():
raise PermissionDenied
response = StreamingHttpResponse(
FileIterWrapper(
open(settings.MEDIA_ROOT + "/" + risk_acceptance.path.name, mode="rb")))
⚠️ Potential Authn/Authz Function Used or Modified dojo/finding/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The function request_finding_review takes a request parameter, which is typically used to access information about the current user, such as their authentication status or authorization level. Additionally, the function returns a rendered template that includes a user variable, which suggests that the function may be related to authentication or authorization functionality.
Filename dojo/finding/views.py
CodeLink

django-DefectDojo/dojo/finding/views.py

Lines 1738 to 1744 in 11171d8

return render(
request,
"dojo/review_finding.html",
{"finding": finding, "product_tab": product_tab, "user": user, "form": form, "enable_table_filtering": get_system_setting("enable_ui_table_based_searching")},
)
⚠️ Potential Authn/Authz Function Used or Modified dojo/notes/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code imports the Cred_User model, which suggests that it may contain functions related to user authentication or authorization. The Cred_User model is likely used to represent user credentials or user-related information, which are often part of authentication and authorization mechanisms.
Filename dojo/notes/views.py
CodeLink

django-DefectDojo/dojo/notes/views.py

Lines 15 to 21 in 11171d8

# Local application/library imports
from dojo.forms import DeleteNoteForm, NoteForm, TypedNoteForm
from dojo.models import Cred_User, Engagement, Finding, Note_Type, NoteHistory, Notes, Test
logger = logging.getLogger(__name__)
⚠️ Potential Authn/Authz Function Used or Modified dojo/notes/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called delete_note that appears to handle the deletion of notes associated with different types of objects, including Finding and Cred_User. The Cred_User object suggests that this code might be related to managing user credentials or authentication-related data, which would be considered sensitive functions related to authorization or authentication.
Filename dojo/notes/views.py
CodeLink

django-DefectDojo/dojo/notes/views.py

Lines 37 to 47 in 11171d8

object = get_object_or_404(Finding, id=objid)
object_id = object.id
reverse_url = "view_finding"
elif page == "cred":
object = get_object_or_404(Cred_User, id=objid)
object_id = object.id
reverse_url = "view_cred_details"
form = DeleteNoteForm(request.POST, instance=note)
if page is None:
View more details on DryRunSecurity