Skip to content

Improve cvssv3 validation #12440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
valentijnscholten merged 21 commits into from
Jun 24, 2025

rebase migration + serializer

15fc291
Select commit
Loading
Failed to load commit list.
Merged

Improve cvssv3 validation #12440

rebase migration + serializer
15fc291
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Jun 22, 2025 in 44s

DryRun Security

Details

General Security Analyzer Findings: 3 detected

⚠️ Potential DoS via CVSS Parsing dojo/tools/jfrog_xray_unified/parser.py (click for details)
Type Potential DoS via CVSS Parsing
Description Multiple parsers introduce a utility function parse_cvss_data() which processes untrusted CVSS vector inputs. While the function appears to use a library for parsing, there's a potential risk of resource exhaustion if maliciously crafted CVSS vectors are processed. The parsing occurs in multiple tools like JFrog Xray, Sonatype, and others, increasing the attack surface.
Filename dojo/tools/jfrog_xray_unified/parser.py
CodeLink

django-DefectDojo/dojo/tools/jfrog_xray_unified/parser.py

Lines 2 to 8 in 15fc291

from datetime import datetime
from dojo.models import Finding
from dojo.utils import parse_cvss_data
class JFrogXrayUnifiedParser:
⚠️ Logging Sensitive Input dojo/utils.py (click for details)
Type Logging Sensitive Input
Description The parse_cvss_data() function in utils.py logs the full CVSS vector string when parsing fails. In a debug or error logging context, this could potentially expose sensitive information if the CVSS vector contains unexpected data. The logging occurs at debug level, which mitigates some risk but doesn't eliminate it completely.
Filename dojo/utils.py
CodeLink

django-DefectDojo/dojo/utils.py

Lines 15 to 32 in 15fc291

import bleach
import crum
import cvss.parser
import hyperlink
import vobject
from asteval import Interpreter
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cvss.cvss3 import CVSS3
from dateutil.parser import parse
from dateutil.relativedelta import MO, SU, relativedelta
from django.conf import settings
from django.contrib import messages
from django.contrib.auth.signals import user_logged_in, user_logged_out, user_login_failed
from django.core.paginator import Paginator
from django.db.models import Case, Count, IntegerField, Q, Sum, Value, When
from django.db.models.query import QuerySet
⚠️ Validator Information Disclosure dojo/validators.py (click for details)
Type Validator Information Disclosure
Description The validators.py contains error handling that logs and constructs error messages embedding user input. While the input is expected to be CVSS vectors, the direct inclusion of input in error messages could potentially leak implementation details or be used for reconnaissance.
Filename dojo/validators.py
CodeLink

django-DefectDojo/dojo/validators.py

Lines 1 to 53 in 15fc291

import logging
import re
from collections.abc import Callable
import cvss.parser
from cvss import CVSS2, CVSS3, CVSS4
from django.core.exceptions import ValidationError
logger = logging.getLogger(__name__)
def tag_validator(value: str | list[str], exception_class: Callable = ValidationError) -> None:
TAG_PATTERN = re.compile(r'[ ,\'"]')
error_messages = []
if isinstance(value, list):
error_messages.extend(f"Invalid tag: '{tag}'. Tags should not contain spaces, commas, or quotes." for tag in value if TAG_PATTERN.search(tag))
elif isinstance(value, str):
if TAG_PATTERN.search(value):
error_messages.append(f"Invalid tag: '{value}'. Tags should not contain spaces, commas, or quotes.")
else:
error_messages.append(f"Value must be a string or list of strings: {value} - {type(value)}.")
if error_messages:
logger.debug(f"Tag validation failed: {error_messages}")
raise exception_class(error_messages)
def cvss3_validator(value: str | list[str], exception_class: Callable = ValidationError) -> None:
logger.error("cvss3_validator called with value: %s", value)
cvss_vectors = cvss.parser.parse_cvss_from_text(value)
if len(cvss_vectors) > 0:
vector_obj = cvss_vectors[0]
if isinstance(vector_obj, CVSS3):
# all is good
return
if isinstance(vector_obj, CVSS4):
# CVSS4 is not supported yet by the parse_cvss_from_text function, but let's prepare for it anyway: https://github.com/RedHatProductSecurity/cvss/issues/53
msg = "Unsupported CVSS(4) version detected."
raise exception_class(msg)
if isinstance(vector_obj, CVSS2):
msg = "Unsupported CVSS(2) version detected."
raise exception_class(msg)
msg = "Unsupported CVSS version detected."
raise exception_class(msg)
# Explicitly raise an error if no CVSS vectors are found,
# to avoid 'NoneType' errors during severity processing later.
msg = "No valid CVSS vectors found by cvss.parse_cvss_from_text()"
raise exception_class(msg)
View more details on DryRunSecurity