Introduce text labels for v3 #13155
Merged
Introduce text labels for v3 #13155
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[sc-11741] |
github-actions
bot
added
New Migration
|
This pull request introduces several information disclosure and authorization issues: it leaks internal IDs and allows membership/group enumeration via specific error messages and filterable sensitive fields (service keys), and it permits privilege escalation by automatically granting organization creators the owner role without requiring the explicit owner-add permission.
Information Disclosure in
|
| Vulnerability | Information Disclosure |
|---|---|
| Description | The edit_object function in dojo/object/views.py raises a BadRequest exception when the pid (product ID from the URL) does not match the object_prod.product.id (product ID associated with the tracked file object). The error message constructed for this exception explicitly includes both asset_id (from the URL) and object_asset_id (from the database object). Since BadRequest exceptions are typically returned to the client, an authenticated user with permission to view any product could potentially craft a request to edit_object with a valid pid for a product they can access, and an ttid (tracked file ID) belonging to a different product. This would cause the server to return an error message containing the object_asset_id of the product associated with the ttid, effectively leaking the internal ID of a product they are not authorized to view or edit. While these are internal IDs, their exposure can aid attackers in mapping out the system's data structure and potentially enumerating other product IDs. |
django-DefectDojo/dojo/object/views.py
Lines 69 to 70 in ab24724
Information Disclosure via Error Messages in dojo/organization/api/serializers.py
| Vulnerability | Information Disclosure via Error Messages |
|---|---|
| Description | The OrganizationMemberSerializer and OrganizationGroupSerializer classes contain validate methods that explicitly check for the existence of a member or group within an organization. If a duplicate entry is found, a ValidationError with the specific message 'Organization Member already exists' or 'Organization Group already exists' is raised. This error message is distinct from permission-related errors (e.g., 'You are not permitted to add a member to this Organization') or errors for non-existent users/groups. An attacker with sufficient privileges to attempt adding members/groups to an organization can use this difference in error messages to enumerate existing members or groups within that organization. By attempting to add a known user/group, the attacker can confirm their membership status based on the returned error message. |
django-DefectDojo/dojo/organization/api/serializers.py
Lines 48 to 49 in ab24724
Information Disclosure via Filterable Service Keys in dojo/asset/api/filters.py
| Vulnerability | Information Disclosure via Filterable Service Keys |
|---|---|
| Description | The AssetAPIScanConfigurationFilterSet exposes service_key_1, service_key_2, and service_key_3 as filterable fields. These fields are likely to contain sensitive credentials (e.g., API keys). An authenticated user with view permissions on Product_API_Scan_Configuration objects can use these filters to perform a side-channel attack. By querying the API with a guessed service_key value, the attacker can determine if that key exists within any accessible configuration based on whether the API returns data or an empty set. This confirms the validity of a guessed key without direct disclosure of its value. |
django-DefectDojo/dojo/asset/api/filters.py
Lines 30 to 33 in ab24724
Information Disclosure via Error Messages in dojo/asset/api/serializers.py
| Vulnerability | Information Disclosure via Error Messages |
|---|---|
| Description | The AssetMemberSerializer and AssetGroupSerializer's validate methods return a specific error message, 'Asset Member already exists' or 'Asset Group already exists', when a user attempts to add a member or group that is already associated with the asset. This distinct error message, compared to other validation errors or permission denied errors, allows an attacker to enumerate existing members or groups for an asset they have access to. For example, if an attacker has permission to manage members of an asset, they can try to add various users. If they receive 'Asset Member already exists', they know that user is already a member. If they receive a different error (e.g., 'User does not exist' or a generic validation error), they know the user is not a member (or doesn't exist). |
django-DefectDojo/dojo/asset/api/serializers.py
Lines 106 to 107 in ab24724
Insufficient Authorization in Organization Creation in dojo/organization/api/views.py
| Vulnerability | Insufficient Authorization in Organization Creation |
|---|---|
| Description | The perform_create method in OrganizationViewSet automatically assigns the 'owner' role to the user who creates a new organization. This bypasses the explicit permission check (Permissions.Product_Type_Member_Add_Owner) that is required when adding an owner to an existing organization via the OrganizationMemberSerializer. A user with permission to create an organization (Permissions.Product_Type_Add) but without the permission to grant ownership (Permissions.Product_Type_Member_Add_Owner) can exploit this to become an owner of any organization they create, effectively escalating their privileges for that specific entity. |
django-DefectDojo/dojo/organization/api/views.py
Lines 66 to 69 in ab24724
All finding details can be found in the DryRun Security Dashboard.
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Maffooch
requested changes
Sep 12, 2025
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
github-actions
bot
removed
the
New Migration
dogboat
force-pushed
the
v3_relabel
branch
4 times, most recently
from
1205a0a to
1013410
Compare
Maffooch
approved these changes
Sep 25, 2025
blakeaowens
approved these changes
Sep 26, 2025
valentijnscholten
approved these changes
Oct 2, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch introduces v3 text copy. "Product" is renamed to "Asset" and "Product Type" is renamed to "Organization" throughout. Additionally, new URL routes are added to reflect the change (i.e.,
/asset). A new system setting is added to toggle between the two versions, defaulting to the new copy.All copy that is altered is concentrated in
labels.py, which acts as a sort of centralized directory. A context processor is added allowing templates to reference these values through thelabelsvariable. Application code can similarly access this data through use of theget_labels()method. URL routing is handled by a middleware that checks which version of copy is selected and sets the urlconf accordingly. To that end, a few packages' urls.py have been restructured to support this.