refactor dojo async task base task #13986
Conversation
github-actions
bot
added
settings_changes
valentijnscholten
added
the
affects_pro
valentijnscholten
changed the title
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
valentijnscholten
force-pushed
the
remove-dojo-async-task-base-task
branch
from
31a5314 to
917aa72
Compare
Resolved conflicts: - dojo/utils.py: Added grade_product function from upstream, kept removal of @dojo_async_task decorator - unittests/test_importers_performance.py: Updated expected query count to 319 (from upstream)
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
I have had to include the commits from #14090 in this PR to make sure the downstream Pro codebase still works. |
|
i've also had to include the commits from #14109 to make the downstream Pro codebase work. |
…atform, lifecycle, and origin
|
And then I had to include the commits from #14080 to fix other errors in Pro. |
… and maintainability
…al and key assets, and update OrganizationViewSet to use OrganizationFilterSet for filtering.
…cing coverage for asset-related functionalities.
…rmissions, enhancing clarity and maintainability.
…proved readability
|
This pull request unpacks user-supplied request.data into background task dispatch calls (in dojo/api_v2/views.py), creating a mass-assignment vulnerability that lets attackers inject internal context fields like async_user or _pgh_context to impersonate users or spoof audit logs. The issue affects update_jira_epic and add_epic and should avoid passing raw request data into dojo_dispatch_task or ensure sensitive keys are filtered.
Mass Assignment: Unvalidated unpacking of `request.data` into background tasks in
|
| Vulnerability | Mass Assignment: Unvalidated unpacking of request.data into background tasks |
|---|---|
| Description | The update_jira_epic and add_epic views in dojo/api_v2/views.py unpack the entire request.data dictionary into dojo_dispatch_task using the ** operator. This is a mass assignment vulnerability because dojo_dispatch_task and its helper _inject_async_user only inject internal context fields (like async_user and _pgh_context) if they are not already present in the arguments. Consequently, an attacker can provide these keys in the API request body to impersonate other users or spoof audit logs in the background tasks that are subsequently triggered. |
django-DefectDojo/dojo/api_v2/views.py
Lines 682 to 685 in fd84c2b
All finding details can be found in the DryRun Security Dashboard.
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
2 participants
The custom decorators that we have on Celery tasks interfere with some (advanced) celery functionality like signatures. This PR refactors this to have a clean base task that passes on context, but does not interfere with celery mechanisms.
The logic to decide whether or not the task is to be called asyncrhonously is now in a dispatch method.
Pro needs similar changes via https://github.com/DefectDojo-Inc/dojo-pro/pull/973, these must be merged "at the same time".