🐛 calender: Fix incorrect end dates for engagements and tests #13593#13595
🐛 calender: Fix incorrect end dates for engagements and tests #13593#13595valentijnscholten merged 3 commits intoDefectDojo:bugfixfrom
Conversation
manuel-sommer
changed the title
🔴 Risk threshold exceeded.This pull request makes edits to sensitive codepaths (dojo/engagement/views.py and dojo/test/views.py) flagged by the scanner and also contains a data-display issue in dojo/test/views.py where test.target_end is incremented by one day in-memory for calendar display without persisting the change, causing the UI to show a date that differs from the stored value.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/test/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/engagement/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/test/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Data Integrity Issue (Display) in dojo/test/views.py
| Vulnerability | Data Integrity Issue (Display) |
|---|---|
| Description | The code in dojo/test/views.py modifies the target_end attribute of test objects by adding one day. This modification is performed in-memory and is not persisted to the database, as there is no save() call or bulk update operation. This leads to a discrepancy where the date displayed in the calendar view is one day later than the actual target_end date stored in the database. While it doesn't corrupt the stored data, it misrepresents the data to the user, potentially causing confusion or incorrect decisions based on the displayed information. |
django-DefectDojo/dojo/test/views.py
Lines 398 to 401 in d8e8ccd
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
valentijnscholten
left a comment
valentijnscholten
left a comment
There was a problem hiding this comment.
Why do we need to add 1 day?
Because of: #13593 |
valentijnscholten
left a comment
valentijnscholten
left a comment
There was a problem hiding this comment.
I know. But why is the solution to add 1 day. Or do we do that everywhere?
To be honest, I didn't look deeper into this. |
In truth, I wondered that as well but (my bad) assumed it was only for the corner case, not in general. |
|
So, I spend a little time investigating: --> time range: 03 Nov 2025 00:00 → 10 Nov 2025 00:00 So, start date is inclusive, end date is exclusive. That's why we have to add 1 day in this special case as we don't have a specific time slot, but a time range. |
valentijnscholten
left a comment
valentijnscholten
left a comment
There was a problem hiding this comment.
Ok thanks. I was wondering earlier if it could be something like a "off by 1 hour" timezone thing. But this makes sense now.
5 participants
#13593