Skip to content

SLA Calculations: Remove product grade calculation and consolidate task handlers #13630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Maffooch merged 4 commits into from
Nov 7, 2025

Update helpers.py

9e4aecd
Select commit
Loading
Failed to load commit list.
Merged

SLA Calculations: Remove product grade calculation and consolidate task handlers #13630

Update helpers.py
9e4aecd
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Nov 6, 2025 in 50s

DryRun Security

Details

General Security Analyzer Findings: 1 detected

⚠️ Arbitrary Code Execution via Dynamic Method Loading dojo/models.py (click for details)
Type Arbitrary Code Execution via Dynamic Method Loading
Description The application dynamically loads and executes a method based on the FINDING_SLA_PERIOD_METHOD setting, which is stored in the System_Settings model. If an attacker with administrative privileges can modify this setting, they can specify a path to an arbitrary function (e.g., os.system or a custom malicious function) that will then be executed by the application, leading to arbitrary code execution on the server.
Filename dojo/models.py
CodeLink

django-DefectDojo/dojo/models.py

Lines 3151 to 3152 in 9e4aecd

if method := get_custom_method("FINDING_SLA_PERIOD_METHOD"):
return method(self)
View more details on DryRunSecurity