Skip to content

Ruff: Fix N805#13437

Merged
valentijnscholten merged 1 commit intoDefectDojo:devfrom
kiblik:ruff/N805
Oct 20, 2025
Merged

Ruff: Fix N805#13437
valentijnscholten merged 1 commit intoDefectDojo:devfrom
kiblik:ruff/N805

Conversation

@kiblik
Copy link
Copy Markdown
Contributor

@kiblik kiblik commented Oct 16, 2025

Fix N805 by making methods static or implementing them correctly.

@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Oct 16, 2025

DryRun Security

This pull request introduces a potential authorization bypass in which the rate-limiting decorator can cause enable_force_password_reset to be invoked by unauthenticated attackers: by repeatedly attempting logins for different valid usernames an attacker can trigger the rate limit and force password reset for those accounts, effectively enabling denial-of-service and unauthorized security actions on other users' accounts.

Potential Authorization Bypass on Password Reset Flag in dojo/models.py
Vulnerability Potential Authorization Bypass on Password Reset Flag
Description The enable_force_password_reset method, when called from the rate-limiting decorator in dojo/decorators.py, can be triggered by an unauthenticated attacker. By repeatedly attempting to log in with different valid usernames, an attacker can cause the rate limit to be hit for those users, thereby forcing them to reset their passwords. This constitutes a denial of service for legitimate users and an authorization bypass, as an attacker can force a security action on another user's account without proper authorization.

django-DefectDojo/dojo/models.py

Lines 231 to 245 in e84f748

def force_password_reset(user):
return hasattr(user, "usercontactinfo") and user.usercontactinfo.force_password_reset
def disable_force_password_reset(self):
if hasattr(self, "usercontactinfo"):
self.usercontactinfo.force_password_reset = False
self.usercontactinfo.save()
def enable_force_password_reset(self):
if hasattr(self, "usercontactinfo"):
self.usercontactinfo.force_password_reset = True
self.usercontactinfo.save()
@staticmethod
def generate_full_name(user):

All finding details can be found in the DryRun Security Dashboard.

@github-actions github-actions Bot added the lint label Oct 16, 2025
@valentijnscholten valentijnscholten added this to the 2.52.0 milestone Oct 16, 2025
mtesauro
mtesauro approved these changes Oct 17, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten
Copy link
Copy Markdown
Member

valentijnscholten commented Oct 17, 2025

@kiblik would it make sense to double check the (force) change password still works?

@mtesauro
Copy link
Copy Markdown
Contributor

mtesauro commented Oct 17, 2025

@kiblik would it make sense to double check the (force) change password still works?

Great point @valentijnscholten I really doubt we have a test for that flow.

@kiblik
Copy link
Copy Markdown
Contributor Author

kiblik commented Oct 20, 2025

@kiblik would it make sense to double check the (force) change password still works?

Well, I had not been able to test enable_force_password_reset in dojo_ratelimit (doing local DOS attack is possible but not sure if I need to go that far with testing).
But I tried to change value force_password_reset manually and disable_force_password_reset in change_password was working as expected (after sucessful change of password, value was cleaned).

@valentijnscholten valentijnscholten merged commit b2eda48 into DefectDojo:dev Oct 20, 2025
148 checks passed
@kiblik kiblik deleted the ruff/N805 branch October 20, 2025 17:07
Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@kiblik
Ruff: Fix N805 (DefectDojo#13437)
88bbfc8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

Assignees

No one assigned

Labels

lint

Projects

None yet

Milestone

2.52.0

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @valentijnscholten @mtesauro @Maffooch @Jino-T