Ruff: Fix PLC2701 + merge PLC #13436
Merged
DryRunSecurity / General Security Analyzer
succeeded
Oct 16, 2025 in 1m 41s
DryRun Security
Details
General Security Analyzer Findings: 2 detected
⚠️ Information Disclosure via Model Copying dojo/models.py (click for details)
| Type | Information Disclosure via Model Copying |
| Description | The copy_model_util function, when called without specifying exclude_fields, copies all fields from a model instance to a new one. Several copy methods in dojo/models.py use this utility without excluding potentially sensitive fields. This means that if a model contains sensitive data (e.g., internal network details, credentials, PII), this data will be duplicated into the new instance. If the copied instance is then accessible to unauthorized users or users with lower privileges, it can lead to information disclosure. |
| Filename | dojo/models.py |
| CodeLink | django-DefectDojo/dojo/models.py Lines 132 to 135 in ac2874e |
⚠️ Missing Authorization Checks in Model Copy Operations dojo/models.py (click for details)
| Type | Missing Authorization Checks in Model Copy Operations |
| Description | The copy_model_util function and the model-specific copy methods that utilize it (e.g., for NoteHistory, Engagement, Finding) do not include any authorization checks. This means that if these copy methods are invoked from any part of the application without explicit, robust authorization checks at the call site, a user could potentially bypass access controls. A user with read access to an object might be able to create a full copy of it, gaining ownership or access to data they were not authorized to create or fully access in the original context. |
| Filename | dojo/models.py |
| CodeLink | django-DefectDojo/dojo/models.py Lines 132 to 135 in ac2874e |
Loading