Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow multiple single-use notes on a single object #11306

Open
wants to merge 2 commits into
base: bugfix
Choose a base branch
from
Open

Disallow multiple single-use notes on a single object #11306

wants to merge 2 commits into from

Conversation

hblankenship
Copy link
Collaborator

[sc-6050]

Returns a BAD_REQUEST status and an error message when attempting to POST a note with a Note Type of 'is_single' - if another Note with that Note Type already exists on the given object (finding, engagement, test).

@github-actions github-actions bot added the apiv2 label Nov 21, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Nov 21, 2024
edited
Loading

DryRun Security Summary

The code change in this pull request implements a new feature that restricts the creation of multiple instances of a specific note type on an engagement, finding, or test, which is a security-focused improvement to the Defect Dojo application.

Expand for full summary

Summary:

The code change in this pull request appears to be a security-focused improvement to the Defect Dojo application. The key change is the implementation of a new feature that restricts the creation of multiple instances of a specific note type on an engagement, finding, or test. This change is likely an application security enhancement to prevent users from accidentally creating multiple instances of certain note types, which could lead to confusion or unintended behavior in the application.

From an application security perspective, this change is a positive step, as it helps to enforce data integrity and consistency within the application. By restricting the creation of multiple instances of specific note types, the application reduces the risk of data inconsistency and potential security vulnerabilities that could arise from such inconsistencies. Overall, this code change appears to be a well-considered improvement to the Defect Dojo application, with a focus on enhancing the application's security and data integrity.

Files Changed:

  • dojo/api_v2/views.py: This file has been updated to include a new check in the notes action of the EngagementViewSet, FindingViewSet, and TestsViewSet. The check ensures that only one instance of a note type with the is_single flag set to True can be created on the respective object. If an attempt is made to create a second instance of a note type marked as is_single, the API will return a 400 Bad Request response with an appropriate error message.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Nov 21, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

Assignees
No one assigned
Labels
apiv2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@hblankenship @cneill @mtesauro @Maffooch @blakeaowens