Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix engagements filters in 'engagements by product view' #10046

Merged
merged 6 commits into from
Apr 30, 2024

fix imports order

b0c3032
Select commit
Loading
Failed to load commit list.
Merged

Fix engagements filters in 'engagements by product view' #10046

fix imports order
b0c3032
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Authn/Authz Analyzer succeeded Apr 30, 2024 in 2s

DryRun Security

Details

Authn/Authz Analyzer Findings: 2 detected

⚠️ Potential Authn/Authz Function Used or Modified dojo/filters.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authentication or authorization, such as get_authorized_users() and the Permissions class, which suggest that the code is managing user permissions and access control.
Filename dojo/filters.py
CodeLink

django-DefectDojo/dojo/filters.py

Lines 1053 to 1084 in b0c3032

fields = ['name', 'prod_type']
class ProductEngagementsFilter(DojoFilter):
engagement__name = CharFilter(field_name='name', lookup_expr='icontains', label='Engagement name contains')
engagement__lead = ModelChoiceFilter(field_name='lead', queryset=Dojo_User.objects.none(), label="Lead")
engagement__version = CharFilter(field_name='version', lookup_expr='icontains', label='Engagement version')
engagement__test__version = CharFilter(field_name='test__version', lookup_expr='icontains', label='Test version')
engagement__status = MultipleChoiceFilter(field_name='status', choices=ENGAGEMENT_STATUS_CHOICES,
label="Status")
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.form.fields['engagement__lead'].queryset = get_authorized_users(Permissions.Product_Type_View) \
.filter(engagement__lead__isnull=False).distinct()
class Meta:
model = Engagement
fields = []
class ProductEngagementsFilterWithoutObjectLookups(ProductEngagementsFilter):
engagement__lead = CharFilter(
field_name="lead__username",
lookup_expr="iexact",
label="Lead Username",
help_text="Search for Lead username that are an exact match")
class EngagementFilterWithoutObjectLookups(EngagementFilterHelper):
engagement__lead = CharFilter(
field_name="engagement__lead__username",
⚠️ Potential Authn/Authz Function Used or Modified dojo/engagement/views.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains the function get_authorized_engagements() which appears to be related to authorization and access control. The function Permissions.Engagement_View suggests that it is checking for user permissions to access the engagement resource, which is a common pattern for implementing authorization in web applications.
Filename dojo/engagement/views.py
CodeLink

django-DefectDojo/dojo/engagement/views.py

Lines 235 to 248 in b0c3032

'engagement_set__jira_project__jira_instance',
'jira_project_set__jira_instance'
)
filter_class = EngagementFilterWithoutObjectLookups if filter_string_matching else EngagementFilter
filtered = filter_class(
request.GET,
queryset=filter_qs
)
prods = get_page_items(request, filtered.qs, 25)
prods.paginator.count = sum(len(prod.engagement_set.all()) for prod in prods)
name_words = products_with_engagements.values_list('name', flat=True)
eng_words = get_authorized_engagements(Permissions.Engagement_View).values_list('name', flat=True).distinct()
View more details on DryRunSecurity