🐛 fix create questionnaire with empty survey

[manuel-sommer]

nginx-1         | 172.18.0.1 - - [17/Nov/2025:14:37:32 +0000] "GET /empty_questionnaire HTTP/1.1" 200 8573 "http://localhost:8080/questionnaire" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0" "-"
nginx-1         | 172.18.0.1 - - [17/Nov/2025:14:37:32 +0000] "GET /static/dojo/img/favicon.png HTTP/1.1" 200 243 "http://localhost:8080/empty_questionnaire" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0" "-"
uwsgi-1         | [17/Nov/2025 14:37:37] DEBUG [dojo.middleware:71] Authenticated user:
uwsgi-1         | [17/Nov/2025 14:37:37] ERROR [dojo.middleware:104] Unhandled exception during social login: DateTimeField General_Survey.expiration received a naive datetime (2025-11-19 00:00:00) while time zone support is active.
uwsgi-1         | [17/Nov/2025 14:37:37] ERROR [django.request:253] Internal Server Error: /empty_questionnaire
uwsgi-1         | Traceback (most recent call last):
uwsgi-1         |   File "/usr/local/lib/python3.13/site-packages/django/core/handlers/exception.py", line 55, in inner
uwsgi-1         |     response = get_response(request)
uwsgi-1         |   File "/usr/local/lib/python3.13/site-packages/django/core/handlers/base.py", line 197, in _get_response
uwsgi-1         |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
uwsgi-1         |   File "/app/dojo/authorization/authorization_decorators.py", line 63, in _wrapped
uwsgi-1         |     return func(request, *args, **kwargs)
uwsgi-1         |   File "/app/dojo/survey/views.py", line 621, in add_empty_questionnaire
uwsgi-1         |     if form.is_valid():
uwsgi-1         |        ~~~~~~~~~~~~~^^
uwsgi-1         |   File "/usr/local/lib/python3.13/site-packages/django/forms/forms.py", line 197, in is_valid
uwsgi-1         |     return self.is_bound and not self.errors
uwsgi-1         |                                  ^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.13/site-packages/django/forms/forms.py", line 192, in errors
uwsgi-1         |     self.full_clean()
uwsgi-1         |     ~~~~~~~~~~~~~~~^^
uwsgi-1         |   File "/usr/local/lib/python3.13/site-packages/django/forms/forms.py", line 327, in full_clean
uwsgi-1         |     self._post_clean()
uwsgi-1         |     ~~~~~~~~~~~~~~~~^^
uwsgi-1         |   File "/usr/local/lib/python3.13/site-packages/django/forms/models.py", line 498, in _post_clean
uwsgi-1         |     self.instance.full_clean(exclude=exclude, validate_unique=False)
uwsgi-1         |     ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.13/site-packages/django/db/models/base.py", line 1619, in full_clean
uwsgi-1         |     self.clean_fields(exclude=exclude)
uwsgi-1         |     ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.13/site-packages/django/db/models/base.py", line 1674, in clean_fields
uwsgi-1         |     setattr(self, f.attname, f.clean(raw_value, self))
uwsgi-1         |                              ~~~~~~~^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.13/site-packages/django/db/models/fields/__init__.py", line 830, in clean
uwsgi-1         |     value = self.to_python(value)
uwsgi-1         |   File "/usr/local/lib/python3.13/site-packages/django/db/models/fields/__init__.py", line 1606, in to_python
uwsgi-1         |     warnings.warn(
uwsgi-1         |     ~~~~~~~~~~~~~^
uwsgi-1         |         f"DateTimeField {name} received a naive datetime ({value}) while "
uwsgi-1         |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |         "time zone support is active.",
uwsgi-1         |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |         RuntimeWarning,
uwsgi-1         |         ^^^^^^^^^^^^^^^
uwsgi-1         |     )
uwsgi-1         |     ^
uwsgi-1         | RuntimeWarning: DateTimeField General_Survey.expiration received a naive datetime (2025-11-19 00:00:00) while time zone support is active.

[manuel-sommer]

@valentijnscholten please review

[valentijnscholten]

Can you base this against dev to reduce the chance of having to rebase migrations during merge back of a bugfix release?

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request modifies several sensitive files (models, migrations, templates, Jira helper, importers) and introduces risks including excessive JIRA API calls when pushing finding groups, an IDOR in batch finding post-processing that skips per-user authorization, a management command that uses an unvalidated queue name (potential command argument injection/DoS), and a configurable dedupe batch size that could be weaponized to cause resource exhaustion.

🔴 Configured Codepaths Edit in dojo/db_migrations/0247_remove_finding_insert_insert_and_more.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/models.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/jira_link/helper.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

Excessive JIRA API Calls in dojo/jira_link/helper.py

Vulnerability

Excessive JIRA API Calls

Description

The push_finding_group_to_jira function now iterates over all findings within a group and calls update_jira_issue for each. This means that for a finding group with N findings, there will be N+1 calls to JIRA (N for individual findings and 1 for the group). If N is large, this can lead to an excessive number of API calls, potentially causing rate limiting or denial of service for the JIRA integration.

django-DefectDojo/dojo/jira_link/helper.py

Lines 787 to 788 in abf06e1

	for finding in finding_group.findings.filter(jira_issue__isnull=False):
	update_jira_issue(finding, *args, **kwargs)

Insecure Direct Object Reference (IDOR) in dojo/finding/helper.py

Vulnerability

Insecure Direct Object Reference (IDOR)

Description

The post_process_findings_batch function processes a list of finding_ids without verifying that the user (which defaults to None in the observed call sites) has the necessary permissions to access or modify each finding. The get_finding_models_for_deduplication function, called by post_process_findings_batch, fetches findings solely based on their IDs, without any user-specific authorization. This allows for unauthorized modification or access to findings if an attacker can control the finding_ids supplied to this batch processing function.

django-DefectDojo/dojo/finding/helper.py

Lines 474 to 477 in abf06e1

	@dojo_async_task
	@app.task
	def post_process_findings_batch(finding_ids, *args, dedupe_option=True, rules_option=True, product_grading_option=True,
	issue_updater_option=True, push_to_jira=False, user=None, **kwargs):

Potential Command Argument Injection in dojo/management/commands/clear_celery_queue.py

Vulnerability

Potential Command Argument Injection

Description

The clear_celery_queue management command takes a --queue argument directly from user input. This queue_name is then used without any validation or sanitization in Celery broker operations, specifically channel.queue_declare and channel.queue_purge. While management commands are typically run by trusted users, if this command were ever exposed to untrusted input, a malicious queue_name could potentially lead to a denial of service by purging unintended queues or causing errors in the Celery broker.

django-DefectDojo/dojo/management/commands/clear_celery_queue.py

Lines 31 to 34 in abf06e1

	queue_name = options["queue"]
	dry_run = options["dry_run"]
	force = options["force"]

Potential Resource Exhaustion via Configuration in dojo/management/commands/dedupe.py

Vulnerability

Potential Resource Exhaustion via Configuration

Description

The IMPORT_REIMPORT_DEDUPE_BATCH_SIZE setting, which controls the batch size for deduplication tasks, can be configured to an arbitrarily low value (e.g., 1). While this setting is intended for administrators, if an attacker gains administrative access, they could set this value to 1. This would cause the system to create a large number of small tasks and perform many more database queries for deduplication, potentially leading to significant resource exhaustion and denial of service, especially in environments with a high volume of findings.

django-DefectDojo/dojo/management/commands/dedupe.py

Lines 127 to 130 in abf06e1

	batch_max_size = getattr(settings, "IMPORT_REIMPORT_DEDUPE_BATCH_SIZE", 1000)
	total_findings = findings_queryset.count()
	logger.info(f"Processing {total_findings} findings in batches of max {batch_max_size} per test ({mode_str})")

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.