Fix information disclosure in conflict validation error messages

Maffooch · claude · Maffooch · commit 70c2c19a6678 · 2026-04-16T09:18:28.000-06:00
Replace error messages that leaked resolved object names (product names,
engagement names) with generic messages. An attacker could enumerate
object names by sending conflicting ID-based and name-based identifiers
and reading the detailed error responses.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py
@@ -475,10 +475,10 @@ def has_permission(self, request, view):
         if engagement := converted_dict.get("engagement"):
             # Validate the resolved engagement's parent chain matches any provided identifiers
             if (product := converted_dict.get("product")) and engagement.product_id != product.id:
-                msg = f'The resolved engagement is associated with product "{engagement.product.name}", not with product "{converted_dict.get("product_name")}"'
+                msg = "The provided identifiers are inconsistent — the engagement does not belong to the specified product."
                 raise ValidationError(msg)
             if (engagement_name := converted_dict.get("engagement_name")) and engagement.name != engagement_name:
-                msg = f'The resolved engagement is named "{engagement.name}", not "{engagement_name}"'
+                msg = "The provided identifiers are inconsistent — the engagement name does not match the specified engagement."
                 raise ValidationError(msg)
             return user_has_permission(
                 request.user, engagement, Permissions.Import_Scan_Result,
@@ -787,17 +787,17 @@ def has_permission(self, request, view):
         if test := converted_dict.get("test"):
             # Validate the resolved test's parent chain matches any provided identifiers
             if (product := converted_dict.get("product")) and test.engagement.product_id != product.id:
-                msg = f'The resolved test is associated with product "{test.engagement.product.name}", not with product "{converted_dict.get("product_name")}"'
+                msg = "The provided identifiers are inconsistent — the test does not belong to the specified product."
                 raise ValidationError(msg)
             if (engagement := converted_dict.get("engagement")) and test.engagement_id != engagement.id:
-                msg = f'The resolved test is associated with engagement "{test.engagement.name}", not with engagement "{converted_dict.get("engagement_name")}"'
+                msg = "The provided identifiers are inconsistent — the test does not belong to the specified engagement."
                 raise ValidationError(msg)
             # Also validate by name when the objects were not resolved (e.g. names that match no existing record)
             if not converted_dict.get("product") and (product_name := converted_dict.get("product_name")) and test.engagement.product.name != product_name:
-                msg = f'The resolved test is associated with product "{test.engagement.product.name}", not with product "{product_name}"'
+                msg = "The provided identifiers are inconsistent — the test does not belong to the specified product."
                 raise ValidationError(msg)
             if not converted_dict.get("engagement") and (engagement_name := converted_dict.get("engagement_name")) and test.engagement.name != engagement_name:
-                msg = f'The resolved test is associated with engagement "{test.engagement.name}", not with engagement "{engagement_name}"'
+                msg = "The provided identifiers are inconsistent — the test does not belong to the specified engagement."
                 raise ValidationError(msg)
             return user_has_permission(
                 request.user, test, Permissions.Import_Scan_Result,
@@ -1207,7 +1207,7 @@ def check_auto_create_permission(
     if engagement:
         # Validate the resolved engagement's parent chain matches any provided names
         if product is not None and engagement.product_id != product.id:
-            msg = f'The resolved engagement is associated with product "{engagement.product.name}", not with product "{product_name}"'
+            msg = "The provided identifiers are inconsistent — the engagement does not belong to the specified product."
             raise ValidationError(msg)
         return user_has_permission(
             user, engagement, Permissions.Import_Scan_Result,
diff --git a/dojo/importers/auto_create_context.py b/dojo/importers/auto_create_context.py
@@ -182,7 +182,7 @@ def get_target_engagement_if_exists(
         if engagement := get_object_or_none(Engagement, pk=engagement_id):
             logger.debug("Using existing engagement by id: %s", engagement_id)
             if product is not None and engagement.product_id != product.id:
-                msg = f'Engagement "{engagement_id}" does not belong to product "{product}"'
+                msg = "The provided identifiers are inconsistent — the engagement does not belong to the specified product."
                 raise ValueError(msg)
             return engagement
         # if there's no product, then for sure there's no engagement either
@@ -207,7 +207,7 @@ def get_target_test_if_exists(
         if test := get_object_or_none(Test, pk=test_id):
             logger.debug("Using existing Test by id: %s", test_id)
             if engagement is not None and test.engagement_id != engagement.id:
-                msg = f'Test "{test_id}" does not belong to engagement "{engagement}"'
+                msg = "The provided identifiers are inconsistent — the test does not belong to the specified engagement."
                 raise ValueError(msg)
             return test
         # If the engagement is not supplied, we cannot do anything
