Release: Merge release into master from: release/2.33.6 #10039

DryRun Security

Authn/Authz Analyzer Findings: 10 detected

⚠️ Potential Authn/Authz Function Used or Modified dojo/filters.py (click for details)

Type Potential Authn/Authz Function Used or Modified

Description The code contains functions related to authentication or authorization, specifically the reporter and reviewers fields. These fields are typically used for access control and authorization purposes, where the application needs to identify the user who reported the finding and the users who are authorized to review it.

Filename dojo/filters.py

CodeLink

django-DefectDojo/dojo/filters.py

Lines 315 to 342 in 0d27468

    
               'mitigated', 
        
               'reporter', 
        
               'reviewers', 
        
           ]) 
        
           if filter_string_matching: 
        
               fields.extend([ 
        
                   'reporter', 
        
                   'reviewers', 
        
                   'test__engagement__product__prod_type__name', 
        
                   'test__engagement__product__name', 
        
                   'test__engagement__name', 
        
                   'test__title', 
        
               ]) 
        
           else: 
        
               fields.extend([ 
        
                   'reporter', 
        
                   'reviewers', 
        
                   'test__engagement__product__prod_type', 
        
                   'test__engagement__product', 
        
                   'test__engagement', 
        
                   'test', 
        
               ]) 
        
           fields.extend([ 
        
               'test__test_type', 
        
               'test__engagement__version', 
        
               'test__version',

⚠️ Potential Authn/Authz Function Used or Modified dojo/filters.py (click for details)

Type Potential Authn/Authz Function Used or Modified

Description The code contains several functions that appear to be related to authentication and authorization, such as get_authorized_users and get_authorized_risk_acceptances. These functions are used to filter the queryset of user and risk acceptance models based on user permissions, which is a common pattern for implementing access control in web applications.

Filename dojo/filters.py

CodeLink

django-DefectDojo/dojo/filters.py

Lines 1751 to 1799 in 0d27468

    
           class AcceptedFindingFilter(FindingFilter): 
        
               risk_acceptance__created__date = DateRangeFilter(label="Acceptance Date") 
        
               risk_acceptance__owner = ModelMultipleChoiceFilter( 
        
                       queryset=Dojo_User.objects.none(), 
        
                       label="Risk Acceptance Owner") 
        
               risk_acceptance = ModelMultipleChoiceFilter( 
        
                   queryset=Risk_Acceptance.objects.none(), 
        
                   label="Accepted By") 
        
               def __init__(self, *args, **kwargs): 
        
                   super().__init__(*args, **kwargs) 
        
                   self.form.fields['risk_acceptance__owner'].queryset = get_authorized_users(Permissions.Finding_View) 
        
                   self.form.fields['risk_acceptance'].queryset = get_authorized_risk_acceptances(Permissions.Risk_Acceptance) 
        
           class AcceptedFindingFilterWithoutObjectLookups(FindingFilterWithoutObjectLookups): 
        
               risk_acceptance__created__date = DateRangeFilter(label="Acceptance Date") 
        
               risk_acceptance__owner = CharFilter( 
        
                   field_name="risk_acceptance__owner__username", 
        
                   lookup_expr="iexact", 
        
                   label="Risk Acceptance Owner Username", 
        
                   help_text="Search for Risk Acceptance Owners username that are an exact match") 
        
               risk_acceptance__owner_contains = CharFilter( 
        
                   field_name="risk_acceptance__owner__username", 
        
                   lookup_expr="icontains", 
        
                   label="Risk Acceptance Owner Username Contains", 
        
                   help_text="Search for Risk Acceptance Owners username that contain a given pattern") 
        
               risk_acceptance__name = CharFilter( 
        
                   field_name="risk_acceptance__name", 
        
                   lookup_expr="iexact", 
        
                   label="Risk Acceptance Name", 
        
                   help_text="Search for Risk Acceptance name that are an exact match") 
        
               risk_acceptance__name_contains = CharFilter( 
        
                   field_name="risk_acceptance__name", 
        
                   lookup_expr="icontains", 
        
                   label="Risk Acceptance Name", 
        
                   help_text="Search for Risk Acceptance name contain a given pattern") 
        
           class SimilarFindingHelper(FilterSet): 
        
               hash_code = MultipleChoiceFilter() 
        
               vulnerability_ids = CharFilter(method=custom_vulnerability_id_filter, label='Vulnerability Ids') 
        
               def update_data(self, data: dict, *args: list, **kwargs: dict): 
        
                   # if filterset is bound, use initial values as defaults 
        
                   # because of this, we can't rely on the self.form.has_changed 
        
                   self.has_changed = True

⚠️ Potential Authn/Authz Function Used or Modified dojo/filters.py (click for details)

Type Potential Authn/Authz Function Used or Modified

Description The code contains functions related to authentication and authorization. The FindingFilter class has fields such as reporter and reviewers which indicate that the application is managing user roles and permissions. Additionally, the set_related_object_fields method is modifying the form fields based on the pid parameter, suggesting that the application is managing access control and authorization based on some product or project ID.

Filename dojo/filters.py

CodeLink

django-DefectDojo/dojo/filters.py

Lines 1664 to 1734 in 0d27468

    
                   if 'pid' in kwargs: 
        
                       self.pid = kwargs.pop('pid') 
        
                   super().__init__(*args, **kwargs) 
        
                   # Set some date fields 
        
                   self.set_date_fields(*args, **kwargs) 
        
                   # Don't show the product filter on the product finding view 
        
                   if self.pid: 
        
                       del self.form.fields['test__engagement__product__name'] 
        
                       del self.form.fields['test__engagement__product__name_contains'] 
        
                       del self.form.fields['test__engagement__product__prod_type__name'] 
        
                       del self.form.fields['test__engagement__product__prod_type__name_contains'] 
        
                   else: 
        
                       del self.form.fields['test__name'] 
        
                       del self.form.fields['test__name_contains'] 
        
           class FindingFilter(FindingFilterNonModelFilters, FindingTagFilter): 
        
               reporter = ModelMultipleChoiceFilter(queryset=Dojo_User.objects.none()) 
        
               reviewers = ModelMultipleChoiceFilter(queryset=Dojo_User.objects.none()) 
        
               test__engagement__product__prod_type = ModelMultipleChoiceFilter( 
        
                   queryset=Product_Type.objects.none(), 
        
                   label="Product Type") 
        
               test__engagement__product__lifecycle = MultipleChoiceFilter( 
        
                   choices=Product.LIFECYCLE_CHOICES, 
        
                   label='Product lifecycle') 
        
               test__engagement__product = ModelMultipleChoiceFilter( 
        
                   queryset=Product.objects.none(), 
        
                   label="Product") 
        
               test__engagement = ModelMultipleChoiceFilter( 
        
                   queryset=Engagement.objects.none(), 
        
                   label="Engagement") 
        
               test = ModelMultipleChoiceFilter( 
        
                   queryset=Test.objects.none(), 
        
                   label="Test") 
        
               if is_finding_groups_enabled(): 
        
                   finding_group = ModelMultipleChoiceFilter( 
        
                       queryset=Finding_Group.objects.none(), 
        
                       label="Finding Group") 
        
               class Meta: 
        
                   model = Finding 
        
                   fields = get_finding_filterset_fields() 
        
                   exclude = ['url', 'description', 'mitigation', 'impact', 
        
                              'endpoints', 'references', 
        
                              'thread_id', 'notes', 'scanner_confidence', 
        
                              'numerical_severity', 'line', 'duplicate_finding', 
        
                              'hash_code', 'reviewers', 'created', 'files', 
        
                              'sla_start_date', 'sla_expiration_date', 'cvssv3', 
        
                              'severity_justification', 'steps_to_reproduce',] 
        
               def __init__(self, *args, **kwargs): 
        
                   self.user = None 
        
                   self.pid = None 
        
                   if 'user' in kwargs: 
        
                       self.user = kwargs.pop('user') 
        
                   if 'pid' in kwargs: 
        
                       self.pid = kwargs.pop('pid') 
        
                   super().__init__(*args, **kwargs) 
        
                   # Set some date fields 
        
                   self.set_date_fields(*args, **kwargs) 
        
                   # Don't show the product filter on the product finding view 
        
                   self.set_related_object_fields(*args, **kwargs) 
        
               def set_related_object_fields(self, *args: list, **kwargs: dict): 
        
                   if self.pid is not None: 
        
                       del self.form.fields['test__engagement__product'] 
        
                       del self.form.fields['test__engagement__product__prod_type'] 
        
                       # TODO add authorized check to be sure

⚠️ Potential Authn/Authz Function Used or Modified dojo/filters.py (click for details)

Type Potential Authn/Authz Function Used or Modified

Description The code contains two functions, filter_queryset() and get_authorized_findings(), that appear to be related to authorization or access control. The filter_queryset() function is used to filter the queryset to only include findings that the user is authorized to view, based on the Permissions.Finding_View permission. This suggests that the code is handling authorization-related functionality.

Filename dojo/filters.py

CodeLink

django-DefectDojo/dojo/filters.py

Lines 1812 to 1864 in 0d27468

    
                       self.has_changed = False 
        
               def set_hash_codes(self, *args: list, **kwargs: dict): 
        
                   if self.finding and self.finding.hash_code: 
        
                       self.form.fields['hash_code'] = forms.MultipleChoiceField(choices=[(self.finding.hash_code, self.finding.hash_code[:24] + '...')], required=False, initial=[]) 
        
               def filter_queryset(self, *args: list, **kwargs: dict): 
        
                   queryset = super().filter_queryset(*args, **kwargs) 
        
                   queryset = get_authorized_findings(Permissions.Finding_View, queryset, self.user) 
        
                   queryset = queryset.exclude(pk=self.finding.pk) 
        
                   return queryset 
        
           class SimilarFindingFilter(FindingFilter, SimilarFindingHelper): 
        
               class Meta(FindingFilter.Meta): 
        
                   model = Finding 
        
                   # slightly different fields from FindingFilter, but keep the same ordering for UI consistency 
        
                   fields = get_finding_filterset_fields(similar=True) 
        
               def __init__(self, data=None, *args, **kwargs): 
        
                   self.user = None 
        
                   if 'user' in kwargs: 
        
                       self.user = kwargs.pop('user') 
        
                   self.finding = None 
        
                   if 'finding' in kwargs: 
        
                       self.finding = kwargs.pop('finding') 
        
                   self.update_data(data, *args, **kwargs) 
        
                   super().__init__(data, *args, **kwargs) 
        
                   self.set_hash_codes(*args, **kwargs) 
        
           class SimilarFindingFilterWithoutObjectLookups(FindingFilterWithoutObjectLookups, SimilarFindingHelper): 
        
               class Meta(FindingFilterWithoutObjectLookups.Meta): 
        
                   model = Finding 
        
                   # slightly different fields from FindingFilter, but keep the same ordering for UI consistency 
        
                   fields = get_finding_filterset_fields(similar=True, filter_string_matching=True) 
        
               def __init__(self, data=None, *args, **kwargs): 
        
                   self.user = None 
        
                   if 'user' in kwargs: 
        
                       self.user = kwargs.pop('user') 
        
                   self.finding = None 
        
                   if 'finding' in kwargs: 
        
                       self.finding = kwargs.pop('finding') 
        
                   self.update_data(data, *args, **kwargs) 
        
                   super().__init__(data, *args, **kwargs) 
        
                   self.set_hash_codes(*args, **kwargs) 
        
           class TemplateFindingFilter(DojoFilter): 
        
               title = CharFilter(lookup_expr='icontains') 
        
               cwe = MultipleChoiceFilter(choices=[])

⚠️ Potential Authn/Authz Function Used or Modified dojo/finding/views.py (click for details)

Type Potential Authn/Authz Function Used or Modified

Description The code contains the function get_authorized_findings, which appears to be related to authorization and access control. This function is used to filter the queryset of findings based on the user's permissions, which suggests that it is part of an authentication or authorization mechanism.

Filename dojo/finding/views.py

CodeLink

django-DefectDojo/dojo/finding/views.py

Lines 612 to 620 in 0d27468

    
                       request, finding, finding.duplicate_finding 
        
                   ) 
        
               ) 
        
           filter_string_matching = get_system_setting("filter_string_matching", False) 
        
           finding_filter_class = SimilarFindingFilterWithoutObjectLookups if filter_string_matching else SimilarFindingFilter 
        
           similar_findings_filter = finding_filter_class( 
        
               request.GET, 
        
               queryset=get_authorized_findings(Permissions.Finding_View), 
        
               user=request.user,

⚠️ Potential Authn/Authz Function Used or Modified dojo/metrics/views.py (click for details)

Type

Potential Authn/Authz Function Used or Modified

Description

The code imports the Dojo_User model, which suggests that there are likely functions related to user authentication and authorization present in the codebase. The Dojo_User model would typically be used to manage user accounts, including features such as login, logout, and access control.

Filename

dojo/metrics/views.py

CodeLink

django-DefectDojo/dojo/metrics/views.py

Lines 20 to 26 in 0d27468

    
           from django.views.decorators.cache import cache_page 
        
           from django.utils import timezone 
        
           from dojo.filters import MetricsFindingFilter, UserFilter, MetricsEndpointFilter, MetricsFindingFilterWithoutObjectLookups 
        
           from dojo.forms import SimpleMetricsForm, ProductTypeCountsForm, ProductTagCountsForm 
        
           from dojo.models import Product_Type, Finding, Product, Engagement, Test, \ 
        
               Risk_Acceptance, Dojo_User, Endpoint_Status

⚠️ Potential Authn/Authz Function Used or Modified dojo/finding_group/views.py (click for details)

Type Potential Authn/Authz Function Used or Modified

Description The code contains functions related to authentication or authorization, such as get_system_setting and create_notification, which are likely used for managing user permissions and notifications.

Filename dojo/finding_group/views.py

CodeLink

django-DefectDojo/dojo/finding_group/views.py

Lines 1 to 8 in 0d27468

    
           from dojo.utils import Product_Tab, add_breadcrumb, get_words_for_field, get_page_items, get_system_setting 
        
           from dojo.forms import DeleteFindingGroupForm, EditFindingGroupForm, FindingBulkUpdateForm 
        
           from dojo.notifications.helper import create_notification 
        
           from dojo.finding.views import prefetch_for_findings 
        
           from dojo.filters import FindingFilter, FindingFilterWithoutObjectLookups 
        
           from django.contrib import messages 
        
           from django.contrib.admin.utils import NestedObjects 
        
           from django.db.utils import DEFAULT_DB_ALIAS

⚠️ Potential Authn/Authz Function Used or Modified dojo/finding_group/views.py (click for details)

Type Potential Authn/Authz Function Used or Modified

Description The code contains the user_has_permission_or_403() function, which is likely used for authorization purposes. This function is called to check if the user has permission to view the product or engagement associated with the finding group. Additionally, the code references the Permissions class, which suggests the presence of an authorization system.

Filename dojo/finding_group/views.py

CodeLink

django-DefectDojo/dojo/finding_group/views.py

Lines 25 to 54 in 0d27468

    
           finding_group = get_object_or_404(Finding_Group, pk=fgid) 
        
           findings = finding_group.findings.all() 
        
           edit_finding_group_form = EditFindingGroupForm(instance=finding_group) 
        
           filter_string_matching = get_system_setting("filter_string_matching", False) 
        
           finding_filter_class = FindingFilterWithoutObjectLookups if filter_string_matching else FindingFilter 
        
           show_product_column = True 
        
           custom_breadcrumb = None 
        
           product_tab = None 
        
           jira_project = None 
        
           github_config = None 
        
           if finding_group.test.engagement.product.id: 
        
               pid = finding_group.test.engagement.product.id 
        
               product = get_object_or_404(Product, id=pid) 
        
               user_has_permission_or_403(request.user, product, Permissions.Product_View) 
        
               product_tab = Product_Tab(product, title="Findings", tab="findings") 
        
               jira_project = jira_helper.get_jira_project(product) 
        
               github_config = GITHUB_PKey.objects.filter(product=pid).first() 
        
               findings_filter = finding_filter_class(request.GET, findings, user=request.user, pid=pid) 
        
           elif finding_group.test.engagement.id: 
        
               eid = finding_group.test.engagement.id 
        
               engagement = get_object_or_404(Engagement, id=eid) 
        
               user_has_permission_or_403(request.user, engagement, Permissions.Engagement_View) 
        
               product_tab = Product_Tab(engagement.product, title=engagement.name, tab="engagements") 
        
               jira_project = jira_helper.get_jira_project(engagement) 
        
               github_config = GITHUB_PKey.objects.filter(product__engagement=eid).first() 
        
               findings_filter = finding_filter_class(request.GET, findings, user=request.user, eid=eid) 
        
           title_words = get_words_for_field(Finding, 'title') 
        
           component_words = get_words_for_field(Finding, 'component_name')

⚠️ Potential Authn/Authz Function Used or Modified dojo/product/views.py (click for details)

Type Potential Authn/Authz Function Used or Modified

Description The code contains several import statements that suggest the presence of functions related to authentication or authorization, such as ProductFilter, EngagementFilter, and JIRAFindingForm. These filters and forms are likely used to manage user access and permissions within the application.

Filename dojo/product/views.py

CodeLink

django-DefectDojo/dojo/product/views.py

Lines 26 to 32 in 0d27468

    
           from dojo.templatetags.display_tags import asvs_calc_level 
        
           from dojo.filters import ProductEngagementFilter, ProductFilter, EngagementFilter, MetricsEndpointFilter, \ 
        
               MetricsFindingFilter, MetricsFindingFilterWithoutObjectLookups, ProductComponentFilter 
        
           from dojo.forms import ProductForm, EngForm, DeleteProductForm, DojoMetaDataForm, JIRAProjectForm, JIRAFindingForm, \ 
        
               AdHocFindingForm, \ 
        
               EngagementPresetsForm, DeleteEngagementPresetsForm, ProductNotificationsForm, \

⚠️ Potential Authn/Authz Function Used or Modified dojo/search/views.py (click for details)

Type Potential Authn/Authz Function Used or Modified

Description The code contains imports for dojo.models and dojo.utils, which likely contain functions related to authentication or authorization. The dojo.finding.views and dojo.endpoint.views modules also suggest the presence of functions that might be involved in managing user access to application resources.

Filename dojo/search/views.py

CodeLink

django-DefectDojo/dojo/search/views.py

Lines 6 to 16 in 0d27468

    
           from django.db.models import Q 
        
           from dojo.forms import SimpleSearchForm 
        
           from dojo.models import Finding, Finding_Template, Product, Test, Engagement, Languages 
        
           from dojo.utils import add_breadcrumb, get_page_items, get_words_for_field, get_system_setting 
        
           import re 
        
           from dojo.finding.views import prefetch_for_findings 
        
           from dojo.endpoint.views import prefetch_for_endpoints 
        
           from dojo.filters import FindingFilter, FindingFilterWithoutObjectLookups 
        
           from django.conf import settings 
        
           import shlex 
        
           import itertools

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release: Merge release into master from: release/2.33.6 #10039

Release: Merge release into master from: release/2.33.6 #10039

DryRun Security

Details

Authn/Authz Analyzer Findings: 10 detected

Re-running checks...

Release: Merge release into master from: release/2.33.6 #10039

Update versions in application files

Release: Merge release into master from: release/2.33.6 #10039

DryRun Security

Details

Authn/Authz Analyzer Findings: 10 detected

Re-running checks...