Skip to content

🐛 Remove unselected parsers from filters and test types #13767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: bugfix
Choose a base branch
from
Draft

🐛 Remove unselected parsers from filters and test types #13767

wants to merge 3 commits into from

Conversation

@manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented Nov 24, 2025
edited
Loading

@dryrunsecurity
Copy link

dryrunsecurity bot commented Nov 24, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request makes sensitive edits to multiple files (dojo/utils.py, dojo/filters.py, and dojo/finding/views.py) and includes a change in dojo/finding/views.py where get_visible_scan_types() returns all active, non-excluded scan types without per-user authorization checks, potentially disclosing scan-type information to users who shouldn’t see it.

🔴 Configured Codepaths Edit in dojo/filters.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/finding/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Information Disclosure of Scan Types in dojo/finding/views.py
Vulnerability Information Disclosure of Scan Types
Description The get_visible_scan_types() function, which is used to populate visible_test_types in the template context, filters scan types only based on a system-wide PARSER_EXCLUDE setting and the active status of the Test_Type object. It does not perform any user-specific authorization checks. This means that any authenticated user accessing the view will receive a list of all active and non-excluded scan types, regardless of their individual permissions or roles. If certain scan types are considered sensitive or should only be visible to specific user groups, this constitutes an information disclosure vulnerability.

django-DefectDojo/dojo/finding/views.py

Lines 306 to 309 in 06ef980

"visible_test_types": get_visible_scan_types(),
}
# Look to see if the product was used
if product_id := self.get_product_id():

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.53.0 milestone Nov 26, 2025
@valentijnscholten
Copy link
Member

valentijnscholten commented Nov 26, 2025

Do you have screenshots of other places where the list is shown?

Import form:

image

API spec:

image

valentijnscholten
valentijnscholten reviewed Nov 26, 2025
View reviewed changes
Copy link
Member

@valentijnscholten valentijnscholten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we have conflicting/overlapping settings here. If you go to https://demo.defectdojo.org/test_type you can already mark test types (scanners) as active or inactive. I haven't looked at the code yet, but do we need two different ways to activate/deactivate scanners? The solution via an env variable is less flexible as it requires sysadmin involvement and restarts to change. wdyt @Maffooch

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Nov 26, 2025

I wonder if we have conflicting/overlapping settings here. If you go to https://demo.defectdojo.org/test_type you can already mark test types (scanners) as active or inactive. I haven't looked at the code yet, but do we need two different ways to activate/deactivate scanners? The solution via an env variable is less flexible as it requires sysadmin involvement and restarts to change. wdyt @Maffooch

You are right @valentijnscholten, looks like a duplicate. Then, the better option would be to remove the env way.

@valentijnscholten
Copy link
Member

valentijnscholten commented Nov 26, 2025

Maybe the intention was to have some sort of "company wide exclusion" via the env variable and then allow security teams to enable/disable on top of that? I don't know.

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Nov 26, 2025

Maybe the intention was to have some sort of "company wide exclusion" via the env variable and then allow security teams to enable/disable on top of that? I don't know.

If we keep both, we should add documentation.

@Maffooch
Copy link
Contributor

Maffooch commented Nov 26, 2025

I think the active flag on individual test types is sufficient. There are also some helpers to exclude inactive scanners for import/reimport forms:

django-DefectDojo/dojo/tools/factory.py

Lines 50 to 68 in a85bbba

def get_inactive_test_types():
try:
return list(Test_Type.objects.filter(active=False).values_list("name", flat=True))
except Exception:
# This exception is reached in the event of loading fixtures in to an empty database
# prior to migrations runnings
return []
def get_scan_types_sorted():
inactive_test_types = get_inactive_test_types()
res = [(key, PARSERS[key].get_description_for_scan_types(key)) for key in PARSERS if key not in inactive_test_types]
return sorted(res, key=lambda x: x[0].lower())
def get_choices_sorted():
inactive_test_types = get_inactive_test_types()
res = [(key, PARSERS[key].get_label_for_scan_types(key)) for key in PARSERS if key not in inactive_test_types]
return sorted(res, key=lambda x: x[1].lower())

@valentijnscholten valentijnscholten marked this pull request as draft November 27, 2025 17:29
@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Nov 28, 2025

FYI: I will remove the functionality (PARSER_EXCLUDE in settings) within a PR against dev as this is a breaking change.
In this PR I will move forward to fix the inactive part to remove them from the filters etc.

@valentijnscholten
Copy link
Member

valentijnscholten commented Nov 28, 2025

Might be better to do all of it in one PR in dev. If we split it up people might get confused if the parser exclude setting is still there. Wdyt?

@Maffooch
Copy link
Contributor

Maffooch commented Nov 28, 2025

Might be better to do all of it in one PR in dev. If we split it up people might get confused if the parser exclude setting is still there. Wdyt?

I agree with this thinking

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valentijnscholten valentijnscholten valentijnscholten left review comments

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

unittests

Projects

None yet

Milestone

2.53.0

Development

Successfully merging this pull request may close these issues.

3 participants

@manuel-sommer @valentijnscholten @Maffooch