Skip to content

Validate consistency between ID-based and name-based identifiers in import/reimport#14636

Merged
Maffooch merged 5 commits intoDefectDojo:bugfixfrom
Jino-T:reimport-change
Apr 17, 2026
Merged

Validate consistency between ID-based and name-based identifiers in import/reimport#14636
Maffooch merged 5 commits intoDefectDojo:bugfixfrom
Jino-T:reimport-change

Conversation

@Jino-T
Copy link
Copy Markdown
Contributor

@Jino-T Jino-T commented Apr 3, 2026
edited by Maffooch
Loading

  • Add validation in the import and reimport permission checks to ensure that when both ID-based
    identifiers (e.g. test, engagement) and name-based identifiers (e.g. product_name, engagement_name) are
    provided, they refer to the same objects
  • Add defense-in-depth checks in AutoCreateContextManager to reject conflicting resolution paths at the
    target lookup layer
  • Add tests covering the new validation behavior

@github-actions github-actions Bot added New Migration Adding a new migration file. Take care when merging. apiv2 labels Apr 3, 2026
@Maffooch @claude
Fix reimport-scan API authorization bypass via conflicting identifiers
985e0b8 
Validate that ID-resolved objects (test, engagement) are consistent with
name-based identifiers (product_name, engagement_name) in both the
permission check layer and the AutoCreateContextManager resolution layer.
This prevents an attacker from passing their own engagement/test ID to
satisfy the permission check while using name-based fields to target a
victim's product.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch Maffooch changed the base branch from dev to bugfix April 14, 2026 21:26
@github-actions github-actions Bot added unittests and removed New Migration Adding a new migration file. Take care when merging. labels Apr 14, 2026
@Maffooch @claude
Use ID-based comparisons and add engagement_name check to import
92cd890 
- Switch permission checks to use ID comparisons (product_id, engagement_id)
  where resolved objects are available, with name fallback for unresolved cases
- Add engagement_name validation to UserHasImportPermission (was missing)
- Fix ruff string quoting in auto_create_context.py

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch Maffooch changed the title Reimport change Validate consistency between ID-based and name-based identifiers in import/reimport Apr 14, 2026
@Maffooch @claude
Strip undeclared engagement field in reimport permission check
6dd70f8 
The engagement field is not declared on ReImportScanSerializer and gets
stripped during validation. The permission check must also strip it so it
resolves targets the same way execution does — by name, not by a stale
engagement ID from request.data.

Update test to verify the engagement param is ignored and permission is
checked against the name-resolved target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch Maffooch marked this pull request as ready for review April 14, 2026 22:32
@Maffooch Maffooch requested a review from mtesauro as a code owner April 14, 2026 22:32
@Maffooch Maffooch added this to the 2.57.2 milestone Apr 14, 2026
mtesauro
mtesauro approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch @claude
Fix information disclosure in conflict validation error messages
70c2c19 
Replace error messages that leaked resolved object names (product names,
engagement names) with generic messages. An attacker could enumerate
object names by sending conflicting ID-based and name-based identifiers
and reading the detailed error responses.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Apr 16, 2026

DryRun Security

This pull request introduces validation checks that compare user-supplied identifiers (e.g., test/engagement/product IDs or names) against resolved database objects before authorization checks, which can leak information via distinct ValidationError responses and enable enumeration of valid resource IDs and relationships (engagement→product) even to unauthorized users. The behavior reveals object existence and associations by returning 400 errors for mismatches instead of 403 permission errors, posing a low-severity information disclosure risk.

Resource Enumeration via Validation Error in dojo/api_v2/permissions.py (drs_eaf4608f)
Vulnerability Resource Enumeration via Validation Error
Description The code introduces explicit validation checks that compare user-provided identifiers (e.g., product/engagement names or IDs) against resolved database objects before performing an authorization check (user_has_permission). By submitting various combinations of identifiers (both valid and invalid/mismatched), an unauthorized user can receive distinct ValidationError messages or observe different response behaviors based on whether the resolved test object exists and its relationships to the provided parameters. This allows for the systematic enumeration of valid test IDs, their associated engagements, and parent products, as well as the inference of their specific names via error messages.

django-DefectDojo/dojo/api_v2/permissions.py

Lines 792 to 794 in 70c2c19

if (engagement := converted_dict.get("engagement")) and test.engagement_id != engagement.id:
msg = "The provided identifiers are inconsistent — the test does not belong to the specified engagement."
raise ValidationError(msg)

Resource Enumeration via Validation Error in dojo/api_v2/permissions.py (drs_86777e02)
Vulnerability Resource Enumeration via Validation Error
Description The validation check happens after the objects (engagement and product) have already been fetched from the database, likely using system-level privileges or public read access. By comparing whether an engagement belongs to a product and raising a ValidationError (400 Bad Request) when they do not match, the application reveals whether a specific engagement belongs to a specific product. This is distinguishable from a PermissionDenied (403 Forbidden) error, which would be returned if the user lacks access to the object. An attacker can use this difference to enumerate existing relationships between resources even if they lack direct read access to those resources.

django-DefectDojo/dojo/api_v2/permissions.py

Lines 477 to 479 in 70c2c19

if (product := converted_dict.get("product")) and engagement.product_id != product.id:
msg = "The provided identifiers are inconsistent — the engagement does not belong to the specified product."
raise ValidationError(msg)

Comment to provide feedback on these findings.

Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]

Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch merged commit 4decd88 into DefectDojo:bugfix Apr 17, 2026
157 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@paulOsinski paulOsinski paulOsinski approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees

No one assigned

Labels

apiv2 unittests

Projects

None yet

Milestone

2.57.2

Development

Successfully merging this pull request may close these issues.

6 participants

@Jino-T @mtesauro @valentijnscholten @paulOsinski @Maffooch @blakeaowens