Ruff: Fix N805 #13437

DryRun Security

General Security Analyzer Findings: 1 detected

⚠️ Potential Authorization Bypass on Password Reset Flag dojo/models.py (click for details)

Type Potential Authorization Bypass on Password Reset Flag

Description The enable_force_password_reset method, when called from the rate-limiting decorator in dojo/decorators.py, can be triggered by an unauthenticated attacker. By repeatedly attempting to log in with different valid usernames, an attacker can cause the rate limit to be hit for those users, thereby forcing them to reset their passwords. This constitutes a denial of service for legitimate users and an authorization bypass, as an attacker can force a security action on another user's account without proper authorization.

Filename dojo/models.py

CodeLink

django-DefectDojo/dojo/models.py

Lines 231 to 245 in e84f748

    
           def force_password_reset(user): 
        
               return hasattr(user, "usercontactinfo") and user.usercontactinfo.force_password_reset 
        
           def disable_force_password_reset(self): 
        
               if hasattr(self, "usercontactinfo"): 
        
                   self.usercontactinfo.force_password_reset = False 
        
                   self.usercontactinfo.save() 
        
           def enable_force_password_reset(self): 
        
               if hasattr(self, "usercontactinfo"): 
        
                   self.usercontactinfo.force_password_reset = True 
        
                   self.usercontactinfo.save() 
        
           @staticmethod 
        
           def generate_full_name(user):

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ruff: Fix N805 #13437

Uh oh!

Uh oh!

Ruff: Fix N805 #13437

Uh oh!

DryRun Security

Details

General Security Analyzer Findings: 1 detected

Re-running checks...