Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ruff: clean-up after multiple merges not cover by new rules #10078

Merged
merged 15 commits into from
May 2, 2024

Fix unittest

ce8e084
Select commit
Loading
Failed to load commit list.
Merged

Ruff: clean-up after multiple merges not cover by new rules #10078

Fix unittest
ce8e084
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Authn/Authz Analyzer succeeded May 1, 2024 in 35s

DryRun Security

Details

Authn/Authz Analyzer Findings: 16 detected

⚠️ Potential Authn/Authz Function Used or Modified dojo/api_v2/permissions.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The provided code contains a function called has_permission() which is likely related to authorization. This function checks whether the user making the request has the necessary permissions to access the requested resource, which is a common authorization-related functionality.
Filename dojo/api_v2/permissions.py
CodeLink

django-DefectDojo/dojo/api_v2/permissions.py

Lines 453 to 460 in ce8e084

)
elif engagement_id:
# engagement_id doesn't exist
msg = f"Engagement '{engagement_id}' doesn't exist"
raise serializers.ValidationError(msg)
if not auto_create_context:
raise_no_auto_create_import_validation_error(
⚠️ Potential Authn/Authz Function Used or Modified dojo/api_v2/permissions.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The has_permission function in the provided Python code checks if the user has permission to perform an action based on the existence of a product_id. This suggests that the function is related to authorization, as it determines whether the user is allowed to access a specific resource (a product) or not.
Filename dojo/api_v2/permissions.py
CodeLink

django-DefectDojo/dojo/api_v2/permissions.py

Lines 512 to 519 in ce8e084

)
elif product_id:
# product_id doesn't exist
msg = f"product '{product_id}' doesn't exist"
raise serializers.ValidationError(msg)
else:
msg = "Need product_id or product_name to perform import"
raise serializers.ValidationError(msg)
⚠️ Potential Authn/Authz Function Used or Modified dojo/api_v2/permissions.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authentication or authorization, specifically the user_has_permission and user_has_global_permission functions. These functions appear to be checking the user's permissions to perform certain actions, such as creating engagements, importing scan results, and creating product types. This indicates that the code is handling authorization and access control mechanisms.
Filename dojo/api_v2/permissions.py
CodeLink

django-DefectDojo/dojo/api_v2/permissions.py

Lines 1023 to 1060 in ce8e084

if product and product_name and engagement_name:
if not user_has_permission(user, product, Permissions.Engagement_Add):
msg = f"No permission to create engagements in product '{product_name}'"
raise PermissionDenied(msg)
if not user_has_permission(
user, product, Permissions.Import_Scan_Result
):
msg = f"No permission to import scans into product '{product_name}'"
raise PermissionDenied(msg)
# all good
return True
if not product and product_name:
if not product_type_name:
msg = f"Product '{product_name}' doesn't exist and no product_type_name provided to create the new product in"
raise serializers.ValidationError(msg)
if not product_type:
if not user_has_global_permission(
user, Permissions.Product_Type_Add
):
msg = f"No permission to create product_type '{product_type_name}'"
raise PermissionDenied(msg)
# new product type can be created with current user as owner, so
# all objects in it can be created as well
return True
else:
if not user_has_permission(
user, product_type, Permissions.Product_Type_Add_Product
):
msg = f"No permission to create products in product_type '{product_type}'"
raise PermissionDenied(msg)
# product can be created, so objects in it can be created as well
return True
⚠️ Potential Authn/Authz Function Used or Modified dojo/endpoint/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called delete_endpoint that appears to handle the deletion of an endpoint. This function includes a call to create_notification which takes the request.user as a parameter, indicating that the function is dealing with authenticated users and potentially authorization checks.
Filename dojo/endpoint/views.py
CodeLink

django-DefectDojo/dojo/endpoint/views.py

Lines 223 to 229 in ce8e084

'Endpoint and relationships removed.',
extra_tags='alert-success')
create_notification(event='other',
title=f'Deletion of {endpoint}',
product=product,
description=f'The endpoint "{endpoint}" was deleted by {request.user}',
url=reverse('endpoint'),
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function named add_risk_acceptance which is related to accepting or managing risks associated with a finding in the application. This suggests that the application has some form of access control mechanism in place, where certain users or roles are authorized to accept risks associated with findings. The function also uses the request.user object, which is typically associated with authentication and authorization in web applications.
Filename dojo/engagement/views.py
CodeLink

django-DefectDojo/dojo/engagement/views.py

Lines 1051 to 1057 in ce8e084

return redirect_to_return_url_or_else(request, reverse('view_engagement', args=(eid, )))
else:
risk_acceptance_title_suggestion = f'Accept: {finding}'
form = RiskAcceptanceForm(initial={'owner': request.user, 'name': risk_acceptance_title_suggestion})
finding_choices = Finding.objects.filter(duplicate=False, test__engagement=eng).filter(NOT_ACCEPTED_FINDINGS_QUERY).order_by('title')
⚠️ Potential Authn/Authz Function Used or Modified dojo/finding/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called close_finding that is likely related to authorization. This function appears to be involved in closing a finding, which could be a sensitive operation that requires specific user permissions or authorization. The function also creates a notification for the event of 'closing of a finding', which suggests that it is handling some kind of access control or authorization-related functionality.
Filename dojo/finding/views.py
CodeLink

django-DefectDojo/dojo/finding/views.py

Lines 1290 to 1296 in ce8e084

)
create_notification(
event="other",
title=f"Closing of {finding.title}",
finding=finding,
description=f'The finding "{finding.title}" was closed by {request.user}',
url=reverse("view_finding", args=(finding.id,)),
⚠️ Potential Authn/Authz Function Used or Modified dojo/finding/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function called copy_finding that involves modifying a finding in the application. This function is likely part of the authorization and access control mechanisms of the web application, as it deals with allowing a user to copy a finding, which could be considered a sensitive operation that requires appropriate permissions or privileges.
Filename dojo/finding/views.py
CodeLink

django-DefectDojo/dojo/finding/views.py

Lines 1511 to 1517 in ce8e084

)
create_notification(
event="other",
title=f"Copying of {finding.title}",
description=f'The finding "{finding.title}" was copied by {request.user} to {test.title}',
product=product,
url=request.build_absolute_uri(
⚠️ Potential Authn/Authz Function Used or Modified dojo/management/commands/clear_alerts.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains the function Dojo_User.objects.get(username=user_name), which suggests that it is interacting with a user model or authentication system. This function is used to retrieve a user object by their username, which is a common pattern in authentication-related code.
Filename dojo/management/commands/clear_alerts.py
CodeLink

django-DefectDojo/dojo/management/commands/clear_alerts.py

Lines 29 to 37 in ce8e084

try:
user = Dojo_User.objects.get(username=user_name)
Alerts.objects.filter(user_id_id=user.id).delete()
self.stdout.write(f'User Alerts for "{user_name}" deleted with success!')
except:
self.stdout.write(f'User "{user_name}" does not exist.')
elif alls and not system:
Alerts.objects.all().delete()
elif system and not alls:
⚠️ Potential Authn/Authz Function Used or Modified dojo/okta.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function user_data that appears to be retrieving user information by making a request to the v1/userinfo endpoint. The request includes an Authorization header with a Bearer token, which suggests that this function is part of an authentication or authorization flow. The presence of this authorization-related functionality indicates that the code potentially contains functions pertaining to authentication or authorization.
Filename dojo/okta.py
CodeLink

django-DefectDojo/dojo/okta.py

Lines 57 to 63 in ce8e084

return self.get_json(
self._url('v1/userinfo'),
headers={
'Authorization': f'Bearer {access_token}',
}
)
⚠️ Potential Authn/Authz Function Used or Modified dojo/settings/settings.dist.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The provided code contains several configuration settings related to authentication and authorization, specifically for the Django SAML2 (Security Assertion Markup Language) application. The code sets up the necessary middleware, authentication backends, and login-exempt URLs for the SAML2 authentication flow. This indicates that the application likely contains functions related to authentication and authorization using the SAML2 protocol.
Filename dojo/settings/settings.dist.py
CodeLink

django-DefectDojo/dojo/settings/settings.dist.py

Lines 910 to 916 in ce8e084

INSTALLED_APPS += ('djangosaml2',)
MIDDLEWARE.append('djangosaml2.middleware.SamlSessionMiddleware')
AUTHENTICATION_BACKENDS += (env('DD_SAML2_AUTHENTICATION_BACKENDS'),)
LOGIN_EXEMPT_URLS += (rf'^{URL_PREFIX}saml2/',)
SAML_LOGOUT_REQUEST_PREFERRED_BINDING = saml2.BINDING_HTTP_POST
SAML_IGNORE_LOGOUT_ERRORS = True
SAML_DJANGO_USER_MAIN_ATTRIBUTE = 'username'
⚠️ Potential Authn/Authz Function Used or Modified dojo/settings/settings.dist.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a list of LOGIN_EXEMPT_URLS which includes URLs related to authentication and authorization, such as password_reset/, forgot_username, reset/, and /api/v2/. These URLs typically handle login, password reset, and other authentication-related functionality. Additionally, the code contains an AUTH_PASSWORD_VALIDATORS list, which is used to validate the strength of user passwords, another common authentication-related feature.
Filename dojo/settings/settings.dist.py
CodeLink

django-DefectDojo/dojo/settings/settings.dist.py

Lines 605 to 623 in ce8e084

MAX_AUTOCOMPLETE_WORDS = env('DD_MAX_AUTOCOMPLETE_WORDS')
LOGIN_EXEMPT_URLS = (
rf'^{URL_PREFIX}static/',
rf'^{URL_PREFIX}webhook/([\w-]+)$',
rf'^{URL_PREFIX}webhook/',
rf'^{URL_PREFIX}jira/webhook/([\w-]+)$',
rf'^{URL_PREFIX}jira/webhook/',
rf'^{URL_PREFIX}reports/cover$',
rf'^{URL_PREFIX}finding/image/(?P<token>[^/]+)$',
rf'^{URL_PREFIX}api/v2/',
r'complete/',
r'empty_questionnaire/([\d]+)/answer',
rf'^{URL_PREFIX}password_reset/',
rf'^{URL_PREFIX}forgot_username',
rf'^{URL_PREFIX}reset/',
)
AUTH_PASSWORD_VALIDATORS = [
⚠️ Potential Authn/Authz Function Used or Modified dojo/settings/settings.dist.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a function named saml2_attrib_map_format which suggests that it is related to SAML (Security Assertion Markup Language) authentication. SAML is a common authentication protocol used for single sign-on (SSO) and federated identity management. Additionally, the code references several environment variables related to SAML configuration, such as DD_SAML2_ALLOW_UNKNOWN_ATTRIBUTE and DD_SAML2_ENTITY_ID, further indicating that this code is likely part of an authentication or authorization system.
Filename dojo/settings/settings.dist.py
CodeLink

django-DefectDojo/dojo/settings/settings.dist.py

Lines 922 to 928 in ce8e084

SAML_ALLOW_UNKNOWN_ATTRIBUTES = env('DD_SAML2_ALLOW_UNKNOWN_ATTRIBUTE')
BASEDIR = path.dirname(path.abspath(__file__))
if len(env('DD_SAML2_ENTITY_ID')) == 0:
SAML2_ENTITY_ID = f'{SITE_URL}/saml2/metadata/'
else:
SAML2_ENTITY_ID = env('DD_SAML2_ENTITY_ID')
⚠️ Potential Authn/Authz Function Used or Modified dojo/settings/settings.dist.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code includes a line that adds a URL pattern to the LOGIN_EXEMPT_URLS list, which is used to specify URLs that do not require authentication. This suggests that the application has some form of authentication mechanism, and the provided URL is being exempted from that requirement. Therefore, the code likely contains functions related to authentication or authorization.
Filename dojo/settings/settings.dist.py
CodeLink

django-DefectDojo/dojo/settings/settings.dist.py

Lines 1156 to 1162 in ce8e084

database_engine = DATABASES.get('default').get('ENGINE')
DATABASES['default']['ENGINE'] = database_engine.replace('django.', 'django_prometheus.', 1)
# CELERY_RESULT_BACKEND.replace('django.core','django_prometheus.', 1)
LOGIN_EXEMPT_URLS += (rf'^{URL_PREFIX}django_metrics/',)
# ------------------------------------
⚠️ Potential Authn/Authz Function Used or Modified dojo/settings/settings.dist.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code snippet contains a configuration option called 'entityid' which is typically used in authentication and authorization systems, specifically in SAML (Security Assertion Markup Language) configuration. The 'entityid' is a unique identifier for the SAML service provider, which is a crucial component in the SAML authentication and authorization flow.
Filename dojo/settings/settings.dist.py
CodeLink

django-DefectDojo/dojo/settings/settings.dist.py

Lines 931 to 937 in ce8e084

'xmlsec_binary': '/usr/bin/xmlsec1',
# your entity id, usually your subdomain plus the url to the metadata view
'entityid': str(SAML2_ENTITY_ID),
# directory with attribute mapping
'attribute_map_dir': path.join(BASEDIR, 'attribute-maps'),
⚠️ Potential Authn/Authz Function Used or Modified dojo/settings/settings.dist.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to SAML2 (Security Assertion Markup Language) authentication, which is a common authentication protocol used in web applications. The code defines the 'assertion_consumer_service' and 'single_logout_service' configurations, which are crucial parts of the SAML2 authentication flow. These configurations specify the URLs and bindings for the SAML2 authentication and logout processes, indicating that the code is handling authentication-related functionality.
Filename dojo/settings/settings.dist.py
CodeLink

django-DefectDojo/dojo/settings/settings.dist.py

Lines 955 to 970 in ce8e084

# url and binding to the assetion consumer service view
# do not change the binding or service name
'assertion_consumer_service': [
(f'{SITE_URL}/saml2/acs/',
saml2.BINDING_HTTP_POST),
],
# url and binding to the single logout service view
# do not change the binding or service name
'single_logout_service': [
# Disable next two lines for HTTP_REDIRECT for IDP's that only support HTTP_POST. Ex. Okta:
(f'{SITE_URL}/saml2/ls/',
saml2.BINDING_HTTP_REDIRECT),
(f'{SITE_URL}/saml2/ls/post',
saml2.BINDING_HTTP_POST),
],
},
⚠️ Potential Authn/Authz Function Used or Modified dojo/urls.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains two URLs that are related to authentication or authorization. The first URL pattern, ^{}api/v2/, includes the Django Rest Framework API v2 which likely contains functions related to authentication and authorization. The second URL pattern, ^{}api/v2/user_profile/, is specifically for a UserProfileView which may contain functions related to managing user profiles, including authentication and authorization.
Filename dojo/urls.py
CodeLink

django-DefectDojo/dojo/urls.py

Lines 211 to 218 in ce8e084

api_v2_urls = [
# Django Rest Framework API v2
re_path(r'^{}api/v2/'.format(get_system_setting('url_prefix')), include(v2_api.urls)),
re_path(r'^{}api/v2/user_profile/'.format(get_system_setting('url_prefix')), UserProfileView.as_view(), name='user_profile'),
]
if hasattr(settings, 'API_TOKENS_ENABLED'):
View more details on DryRunSecurity