API: prevent duplicate saves of taggable entities or when pushing to JIRA by valentijnscholten · Pull Request #12607 · DefectDojo/django-DefectDojo

DryRun Security

General Security Analyzer Findings: 3 detected

⚠️ Debug Information Exposure dojo/jira_link/helper.py (click for details)

Type

Debug Information Exposure

Description

Debug log messages directly log object contents without sanitization, potentially exposing sensitive internal details if debug logging is enabled in production.

Filename

dojo/jira_link/helper.py

CodeLink

django-DefectDojo/dojo/jira_link/helper.py

Lines 667 to 675 in 7f3d035

    
               raise ValueError(msg) 
        
           if isinstance(obj, Finding): 
        
               if obj.has_finding_group: 
        
                   logger.debug("pushing finding group for %s to JIRA", obj) 
        
                   return push_finding_group_to_jira(obj.finding_group, *args, **kwargs) 
        
               return push_finding_to_jira(obj, *args, **kwargs) 
        
           if isinstance(obj, Finding_Group):

⚠️ Verbose Error Logging dojo/api_v2/views.py (click for details)

Type

Verbose Error Logging

Description

Error messages include the full list of tags and specific invalid tag, which could aid an attacker in enumerating valid tags through targeted error probing.

Filename

dojo/api_v2/views.py

CodeLink

django-DefectDojo/dojo/api_v2/views.py

Lines 989 to 1001 in 7f3d035

    
               all_tags = serializers.TagSerializer({"tags": all_tags}).data[ 
        
                   "tags" 
        
               ] 
        
               for tag in new_tags.validated_data["tags"]: 
        
                   for sub_tag in tagulous.utils.parse_tags(tag): 
        
                       if sub_tag not in all_tags: 
        
                           all_tags.append(sub_tag) 
        
               new_tags = tagulous.utils.render_tags(all_tags) 
        
               finding.tags = new_tags 
        
               finding.save() 
        
           else:

⚠️ CVE ID Manipulation dojo/api_v2/serializers.py (click for details)

Type

CVE ID Manipulation

Description

The code sets the CVE field by taking the first vulnerability ID from a user-provided list without validation. This could allow an attacker to manipulate the CVE identifier for a finding by providing a crafted list of vulnerability IDs.

Filename

dojo/api_v2/serializers.py

CodeLink

django-DefectDojo/dojo/api_v2/serializers.py

Lines 1734 to 1765 in 7f3d035

    
           # Overriding this to push add Push to JIRA functionality 
        
           def update(self, instance, validated_data): 
        
               # push_all_issues already checked in api views.py 
        
               push_to_jira = validated_data.pop("push_to_jira") 
        
               # Save vulnerability ids and pop them 
        
               parsed_vulnerability_ids = [] 
        
               if (vulnerability_ids := validated_data.pop("vulnerability_id_set", None)): 
        
                   logger.debug("VULNERABILITY_ID_SET: %s", vulnerability_ids) 
        
                   parsed_vulnerability_ids.extend(vulnerability_id["vulnerability_id"] for vulnerability_id in vulnerability_ids) 
        
                   logger.debug("SETTING CVE FROM VULNERABILITY_ID_SET: %s", parsed_vulnerability_ids[0]) 
        
                   validated_data["cve"] = parsed_vulnerability_ids[0] 
        
               # Save the reporter on the finding 
        
               if reporter_id := validated_data.get("reporter"): 
        
                   instance.reporter = reporter_id 
        
               instance = super().update( 
        
                   instance, validated_data, 
        
               ) 
        
               if parsed_vulnerability_ids: 
        
                   save_vulnerability_ids(instance, parsed_vulnerability_ids) 
        
               if push_to_jira: 
        
                   jira_helper.push_to_jira(instance) 
        
               return instance 
        
           def validate(self, data): 
        
               if self.context["request"].method == "PATCH":

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

API: prevent duplicate saves of taggable entities or when pushing to JIRA#12607

API: prevent duplicate saves of taggable entities or when pushing to JIRA#12607
mtesauro merged 17 commits into
DefectDojo:devfrom
valentijnscholten:api-duplicate-saves-tags-jira-fix

Uh oh!

DryRun Security

Details

General Security Analyzer Findings: 3 detected

Re-running checks...

cleanup logging

Uh oh!

DryRun Security

Details

General Security Analyzer Findings: 3 detected

Re-running checks...