Use a dedicated permission class for BurpRawRequestResponseViewSet

Maffooch · claude · Maffooch · commit e75944f68302 · 2026-05-07T20:34:16.000-06:00
The top-level /api/v2/request_response_pairs/ viewset reused UserHasFindingRelatedObjectPermission, which is shaped for @action(detail=True) endpoints where DRF resolves the parent finding from the URL. On a top-level POST there is no parent object resolved yet, so the create flow only ran has_object_permission against the not-yet-saved row and effectively skipped any check on the client-supplied "finding" foreign key. Introduce UserHasBurpRawRequestResponsePermission, which validates the parent finding against Finding_Edit on POST via check_post_permission, mirroring the pattern already used by UserHasFindingPermission, UserHasProductPermission, and the other parent-keyed viewsets. has_object_permission dereferences obj.finding for retrieve/update/delete so list/detail/PUT/PATCH/DELETE behavior is unchanged. Add regression coverage in unittests/test_rest_framework.py asserting the positive control still works, that an authenticated user without membership cannot create a pair on a hidden finding, and that POSTs missing the finding key are rejected. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py
@@ -455,6 +455,23 @@ class UserHasFindingNotePermission(BaseRelatedObjectPermission):
     }
 
 
+class UserHasBurpRawRequestResponsePermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request, Finding, "finding", Permissions.Finding_Edit,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj.finding,
+            Permissions.Finding_View,
+            Permissions.Finding_Edit,
+            Permissions.Finding_Edit,
+            Permissions.Finding_Edit,
+        )
+
+
 class UserHasImportPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         # permission check takes place before validation, so we don't have access to serializer.validated_data()
diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py
@@ -3011,7 +3011,7 @@ class BurpRawRequestResponseViewSet(
     filterset_fields = ["finding"]
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasFindingRelatedObjectPermission,
+        permissions.UserHasBurpRawRequestResponsePermission,
     )
 
     def get_queryset(self):
diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py
@@ -1788,6 +1788,66 @@ def test_request_response_get(self):
         self.assertEqual(200, response.status_code, response.content[:1000])
 
 
+class RequestResponsePairsAuthzTest(DojoAPITestCase):
+
+    fixtures = ["dojo_testdata.json"]
+
+    def _client_for(self, username):
+        user = User.objects.get(username=username)
+        token = Token.objects.get(user=user)
+        client = APIClient()
+        client.credentials(HTTP_AUTHORIZATION="Token " + token.key)
+        return client
+
+    def test_admin_can_create_request_response_pair_positive_control(self):
+        client = self._client_for("admin")
+        before = BurpRawRequestResponse.objects.filter(finding_id=7).count()
+        response = client.post(
+            "/api/v2/request_response_pairs/",
+            dumps({
+                "finding": 7,
+                "burpRequestBase64": "cmVxdWVzdAo=",
+                "burpResponseBase64": "cmVzcG9uc2UK",
+            }),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 201, response.content[:1000])
+        self.assertEqual(BurpRawRequestResponse.objects.filter(finding_id=7).count(), before + 1)
+
+    def test_unrelated_user_cannot_create_request_response_pair_on_hidden_finding(self):
+        client = self._client_for("user2")
+        # Sanity: the victim finding is genuinely hidden from this user.
+        get_response = client.get("/api/v2/findings/7/")
+        self.assertEqual(get_response.status_code, 404)
+
+        before = BurpRawRequestResponse.objects.filter(finding_id=7).count()
+        response = client.post(
+            "/api/v2/request_response_pairs/",
+            dumps({
+                "finding": 7,
+                "burpRequestBase64": "cmVxdWVzdAo=",
+                "burpResponseBase64": "cmVzcG9uc2UK",
+            }),
+            content_type="application/json",
+        )
+        self.assertIn(response.status_code, (403, 404), response.content[:1000])
+        self.assertEqual(BurpRawRequestResponse.objects.filter(finding_id=7).count(), before)
+
+    def test_post_without_finding_returns_4xx(self):
+        client = self._client_for("user2")
+        response = client.post(
+            "/api/v2/request_response_pairs/",
+            dumps({
+                "burpRequestBase64": "cmVxdWVzdAo=",
+                "burpResponseBase64": "cmVzcG9uc2UK",
+            }),
+            content_type="application/json",
+        )
+        # check_post_permission raises ParseError (400) when "finding" is omitted.
+        self.assertGreaterEqual(response.status_code, 400)
+        self.assertLess(response.status_code, 500)
+
+
 @versioned_fixtures
 class FilesTest(DojoAPITestCase):
     fixtures = ["dojo_testdata.json"]

Original file line number	Diff line number	Diff line change
`@@ -3011,7 +3011,7 @@ class BurpRawRequestResponseViewSet(`
`3011`	`3011`	`filterset_fields = ["finding"]`
`3012`	`3012`	`permission_classes = (`
`3013`	`3013`	`IsAuthenticated,`
`3014`		`- permissions.UserHasFindingRelatedObjectPermission,`
	`3014`	`+ permissions.UserHasBurpRawRequestResponsePermission,`
`3015`	`3015`	`)`
`3016`	`3016`
`3017`	`3017`	`def get_queryset(self):`