Deduplicate findings in batches #13491
Merged
DryRunSecurity / General Security Analyzer
succeeded
Nov 14, 2025 in 2s
DryRun Security
Details
General Security Analyzer Findings: 3 detected
⚠️ Arbitrary Code Execution via Custom Method Loading dojo/models.py (click for details)
| Type | Arbitrary Code Execution via Custom Method Loading |
| Description | The application dynamically loads a method for computing a hash code using get_custom_method("FINDING_COMPUTE_HASH_METHOD"). Based on the observed pattern in dojo/settings/settings.dist.py where settings are loaded from environment variables using env(), it is highly probable that the FINDING_COMPUTE_HASH_METHOD setting can be controlled via an environment variable (e.g., DD_FINDING_COMPUTE_HASH_METHOD). If an attacker can control this environment variable, they can inject an arbitrary module path and function name (e.g., 'os.system'). When get_custom_method resolves this string into a callable and compute_hash_code_method(self) is invoked, it leads to arbitrary code execution. |
| Filename | dojo/models.py |
| CodeLink | django-DefectDojo/dojo/models.py Lines 2919 to 2921 in 9011cee |
⚠️ Denial of Service via Misconfiguration dojo/importers/default_importer.py (click for details)
| Type | Denial of Service via Misconfiguration |
| Description | The DD_IMPORT_REIMPORT_DEDUPE_BATCH_SIZE setting, which controls the batch size for asynchronous deduplication tasks, lacks validation for a minimum value. An administrator can configure this setting to a very low number (e.g., 1), causing the system to dispatch an excessive number of small Celery tasks during large imports or reimports. This can overwhelm the message broker and workers, leading to resource exhaustion and a denial of service for background processing. Each finding would result in a separate Celery task being dispatched, incurring significant overhead. |
| Filename | dojo/importers/default_importer.py |
| CodeLink | django-DefectDojo/dojo/importers/default_importer.py Lines 163 to 166 in 9011cee |
⚠️ Unauthorized Celery Queue Purge (Denial of Service) dojo/management/commands/clear_celery_queue.py (click for details)
| Type | Unauthorized Celery Queue Purge (Denial of Service) |
| Description | The clear_celery_queue management command allows an attacker who can execute Django management commands to specify an arbitrary Celery queue name via the --queue argument. This input is not validated or sanitized against an allowlist of safe-to-purge queues. Consequently, an attacker could purge critical application queues (e.g., 'celery', or queues handling deduplication/post-processing tasks), leading to a denial of service by halting essential background processes, causing data inconsistencies, and disrupting application functionality. While the command includes a confirmation prompt, it can be bypassed with the --force flag, making the operation destructive without user interaction. |
| Filename | dojo/management/commands/clear_celery_queue.py |
| CodeLink | django-DefectDojo/dojo/management/commands/clear_celery_queue.py Lines 99 to 102 in 9011cee |
Loading