Skip to content

Validate consistency between ID-based and name-based identifiers in import/reimport #14636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Maffooch merged 5 commits into from
Apr 17, 2026

Fix information disclosure in conflict validation error messages

70c2c19
Select commit
Loading
Failed to load commit list.
Merged

Validate consistency between ID-based and name-based identifiers in import/reimport #14636

Fix information disclosure in conflict validation error messages
70c2c19
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Apr 16, 2026 in 1m 12s

DryRun Security

Details

General Security Analyzer Findings: 2 detected

⚠️ Resource Enumeration via Validation Error dojo/api_v2/permissions.py (click for details)
Type Resource Enumeration via Validation Error
Description The validation check happens after the objects (engagement and product) have already been fetched from the database, likely using system-level privileges or public read access. By comparing whether an engagement belongs to a product and raising a ValidationError (400 Bad Request) when they do not match, the application reveals whether a specific engagement belongs to a specific product. This is distinguishable from a PermissionDenied (403 Forbidden) error, which would be returned if the user lacks access to the object. An attacker can use this difference to enumerate existing relationships between resources even if they lack direct read access to those resources.
Filename dojo/api_v2/permissions.py
CodeLink

django-DefectDojo/dojo/api_v2/permissions.py

Lines 477 to 479 in 70c2c19

if (product := converted_dict.get("product")) and engagement.product_id != product.id:
msg = "The provided identifiers are inconsistent — the engagement does not belong to the specified product."
raise ValidationError(msg)
⚠️ Resource Enumeration via Validation Error dojo/api_v2/permissions.py (click for details)
Type Resource Enumeration via Validation Error
Description The code introduces explicit validation checks that compare user-provided identifiers (e.g., product/engagement names or IDs) against resolved database objects before performing an authorization check (user_has_permission). By submitting various combinations of identifiers (both valid and invalid/mismatched), an unauthorized user can receive distinct ValidationError messages or observe different response behaviors based on whether the resolved test object exists and its relationships to the provided parameters. This allows for the systematic enumeration of valid test IDs, their associated engagements, and parent products, as well as the inference of their specific names via error messages.
Filename dojo/api_v2/permissions.py
CodeLink

django-DefectDojo/dojo/api_v2/permissions.py

Lines 792 to 794 in 70c2c19

if (engagement := converted_dict.get("engagement")) and test.engagement_id != engagement.id:
msg = "The provided identifiers are inconsistent — the test does not belong to the specified engagement."
raise ValidationError(msg)
View more details on DryRunSecurity