Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ruff: Fix issues via "target-version" #10846

Merged
merged 1 commit into from
Oct 9, 2024

Ruff: Fix issues via "target-version"

d806751
Select commit
Loading
Failed to load commit list.
Merged

Ruff: Fix issues via "target-version" #10846

Ruff: Fix issues via "target-version"
d806751
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Authn/Authz Analyzer succeeded Oct 8, 2024 in 18s

DryRun Security

Details

Authn/Authz Analyzer Findings: 7 detected

⚠️ Potential Authn/Authz Function Used or Modified dojo/api_v2/serializers.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function named validate_findings_have_same_engagement that checks if the findings being added belong to the same engagement. This suggests that the code is related to authorization, as it is enforcing a restriction on the user's ability to add findings from multiple engagements.
Filename dojo/api_v2/serializers.py
CodeLink

django-DefectDojo/dojo/api_v2/serializers.py

Lines 1516 to 1522 in d806751

)
def validate(self, data):
def validate_findings_have_same_engagement(finding_objects: list[Finding]):
engagements = finding_objects.values_list("test__engagement__id", flat=True).distinct().count()
if engagements > 1:
msg = "You are not permitted to add findings from multiple engagements"
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function named get_engagement_or_product that takes a user: Dojo_User parameter, which suggests it may be related to authentication or authorization. Functions that deal with user objects or sessions are often part of the authentication or authorization logic in web applications.
Filename dojo/engagement/views.py
CodeLink

django-DefectDojo/dojo/engagement/views.py

Lines 709 to 717 in d806751

def get_engagement_or_product(
self,
user: Dojo_User,
engagement_id: int | None = None,
product_id: int | None = None,
) -> tuple[Engagement, Product, Product | Engagement]:
"""Using the path parameters, either fetch the product or engagement"""
engagement = product = engagement_or_product = None
# Get the product if supplied
⚠️ Potential Authn/Authz Function Used or Modified dojo/importers/endpoint_manager.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called mitigate_endpoint_status that takes a Dojo_User parameter, which suggests that this function may be related to authentication or authorization. Functions that take a user object as a parameter are often used to enforce access control or verify the user's identity.
Filename dojo/importers/endpoint_manager.py
CodeLink

django-DefectDojo/dojo/importers/endpoint_manager.py

Lines 60 to 66 in d806751

@app.task()
def mitigate_endpoint_status(
self,
endpoint_status_list: list[Endpoint_Status],
user: Dojo_User,
**kwargs: dict,
) -> None:
⚠️ Potential Authn/Authz Function Used or Modified dojo/importers/endpoint_manager.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The function chunk_endpoints_and_mitigate takes a Dojo_User parameter, which suggests that this function is related to user authentication or authorization. Functions that deal with user-specific operations are typically part of the authentication or authorization flow in an application.
Filename dojo/importers/endpoint_manager.py
CodeLink

django-DefectDojo/dojo/importers/endpoint_manager.py

Lines 179 to 185 in d806751

def chunk_endpoints_and_mitigate(
self,
endpoint_status_list: list[Endpoint_Status],
user: Dojo_User,
**kwargs: dict,
) -> None:
⚠️ Potential Authn/Authz Function Used or Modified dojo/remote_user.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code appears to be handling an authentication-related header, specifically the AUTH_REMOTEUSER_USERNAME_HEADER setting. This header is likely used to identify the user making the request, which is a common part of an authentication or authorization flow.
Filename dojo/remote_user.py
CodeLink

django-DefectDojo/dojo/remote_user.py

Lines 100 to 106 in d806751

return {}
header_name = settings.AUTH_REMOTEUSER_USERNAME_HEADER
header_name = header_name.removeprefix("HTTP_")
header_name = header_name.replace("_", "-").capitalize()
return {
⚠️ Potential Authn/Authz Function Used or Modified dojo/reports/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains the get_endpoints function, which appears to be related to authorization. This function takes a user parameter, which suggests that it is used to filter the endpoints queryset based on the user's permissions or access level.
Filename dojo/reports/views.py
CodeLink

django-DefectDojo/dojo/reports/views.py

Lines 93 to 99 in d806751

filter_class = EndpointFilterWithoutObjectLookups if filter_string_matching else EndpointFilter
return filter_class(request.GET, queryset=endpoints, user=request.user)
def get_available_widgets(self, request: HttpRequest) -> list[Widget]:
return [
CoverPage(request=request),
TableOfContents(request=request),
⚠️ Potential Authn/Authz Function Used or Modified dojo/risk_acceptance/api.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The provided code snippet contains a function named _accept_risks that takes a User object as a parameter, which suggests that this function may be related to authentication or authorization. Functions that deal with users or access control are typically considered sensitive and part of the authentication or authorization flows.
Filename dojo/risk_acceptance/api.py
CodeLink

django-DefectDojo/dojo/risk_acceptance/api.py

Lines 81 to 87 in d806751

return Response(status=201, data=result.data)
def _accept_risks(accepted_risks: list[AcceptedRisk], base_findings: QuerySet, owner: User):
accepted = []
for risk in accepted_risks:
vulnerability_ids = Vulnerability_Id.objects \
View more details on DryRunSecurity