SLA Calculations: Remove product grade calculation and consolidate task handlers#13630
Merged
Maffooch merged 4 commits intoDefectDojo:bugfixfrom Nov 7, 2025
Merged
SLA Calculations: Remove product grade calculation and consolidate task handlers#13630Maffooch merged 4 commits intoDefectDojo:bugfixfrom
Maffooch merged 4 commits intoDefectDojo:bugfixfrom
Conversation
…improve system settings checks
valentijnscholten
approved these changes
Nov 6, 2025
Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
|
This pull request introduces dynamic loading and execution of a method based on the FINDING_SLA_PERIOD_METHOD system setting, which allows an admin-updatable string to specify a function path that the application will import and call; if an attacker with administrative privileges can modify that setting they could cause arbitrary code execution on the server. This is a critical remote code execution risk stemming from executing user-configurable function paths.
Arbitrary Code Execution via Dynamic Method Loading in
|
| Vulnerability | Arbitrary Code Execution via Dynamic Method Loading |
|---|---|
| Description | The application dynamically loads and executes a method based on the FINDING_SLA_PERIOD_METHOD setting, which is stored in the System_Settings model. If an attacker with administrative privileges can modify this setting, they can specify a path to an arbitrary function (e.g., os.system or a custom malicious function) that will then be executed by the application, leading to arbitrary code execution on the server. |
django-DefectDojo/dojo/models.py
Lines 3151 to 3152 in 9e4aecd
All finding details can be found in the DryRun Security Dashboard.
Jino-T
approved these changes
Nov 6, 2025
blakeaowens
approved these changes
Nov 7, 2025
Maffooch
added a commit
to valentijnscholten/django-DefectDojo
that referenced
this pull request
Feb 16, 2026
…sk handlers (DefectDojo#13630) * Add custom SLA calculation method to Finding model * Refactor SLA expiration date update methods for async processing and improve system settings checks * Update async SLA expiration date update to filter by product ID * Update helpers.py Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> --------- Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When reviewing the SLA calculation functions, I was confused by the two helper functions and consolidated them. Additionally, I noticed the product grade calculation may be wasted compute. The SLA of a finding is not considered as part of the product grade, so no reason to the recalculate