:bug: Remove unselected parsers from filters and test types by manuel-sommer · Pull Request #13767 · DefectDojo/django-DefectDojo
🔴 Risk threshold exceeded.
This pull request makes sensitive edits to multiple files (dojo/filters.py, dojo/finding/views.py, and dojo/utils.py) and includes an information disclosure issue where get_visible_scan_types() in dojo/finding/views.py returns all active Test_Type objects without authorization checks, potentially exposing internal scan/type information to unauthorized users.
🔴 Configured Codepaths Edit in dojo/finding/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/filters.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Information Disclosure in dojo/finding/views.py
| Vulnerability | Information Disclosure |
|---|---|
| Description | The get_visible_scan_types() function, called within the get_initial_context method of a view, retrieves all active Test_Type objects without any authorization checks. This means that any authenticated user accessing this view could potentially see a list of all active scan types configured in the system. If these Test_Type objects contain sensitive information, such as names of internal-only tools, custom scanners, or proprietary processes, this constitutes an information disclosure. This provides reconnaissance information to a low-privileged user, which could aid in further attacks. |
django-DefectDojo/dojo/finding/views.py
Lines 303 to 309 in 9ac9cd9
| "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), | |
| "title_words": get_words_for_field(Finding, "title"), | |
| "component_words": get_words_for_field(Finding, "component_name"), | |
| "visible_test_types": get_visible_scan_types(), | |
| } | |
| # Look to see if the product was used | |
| if product_id := self.get_product_id(): |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.