Skip to content

Updates Decorators with Certain Permission Models#14410

Merged
Maffooch merged 5 commits intoDefectDojo:bugfixfrom
devGregA:permissions
Mar 2, 2026
Merged

Updates Decorators with Certain Permission Models#14410
Maffooch merged 5 commits intoDefectDojo:bugfixfrom
devGregA:permissions

Conversation

@devGregA
Copy link
Copy Markdown
Contributor

@devGregA devGregA commented Feb 27, 2026
edited by Maffooch
Loading

  • Updates permission decorators to be more explicit
  • Add comments for specific permission choices made
  • Add unit test for verifying permissions

@devGregA @claude
Adjust decorators for new permissions model
70c3889 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Maffooch Maffooch added this to the 2.56.0 milestone Feb 27, 2026
@devGregA @claude
Decorator and permissions updates
5ee3dc4 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@devGregA @claude
Align get_object_or_404 filtering strategy with dev branch
daaaa71 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot removed the parser label Feb 27, 2026
@devGregA @claude
Fix test assertions and serializer type hint
176725b 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity bot commented Feb 28, 2026
edited
Loading

DryRun Security

🟡 Please give this pull request extra attention during review.

This pull request introduces a change to dojo/benchmark/views.py but leaves the update_benchmark view retrieving a Product by user-supplied pid without any authorization check or scoping to the current user, creating a potential IDOR where an authenticated attacker could access or modify benchmarks for arbitrary products; the view is missing the @user_is_authorized decorator present on similar endpoints.

🟡 Potential IDOR Vulnerability in dojo/benchmark/views.py (drs_f515c4be)
Vulnerability Potential IDOR Vulnerability
Description The 'update_benchmark' view in 'dojo/benchmark/views.py' retrieves a 'Product' object using a user-supplied 'pid' without any authorization check or scoping to the current user. While the patch adds a filter to ensure the 'Benchmark_Product' belongs to the retrieved 'Product', it fails to verify that the user has permission to access that 'Product'. This allows an authenticated attacker to access or modify benchmarks for any product by providing the appropriate 'pid'. Unlike other views in the same file (e.g., 'update_benchmark_summary') and other files in the patch, 'update_benchmark' is missing the '@user_is_authorized' decorator that would normally enforce these permissions.

django-DefectDojo/dojo/benchmark/views.py

Lines 49 to 52 in acce7bf

product = get_object_or_404(Product, id=pid)
bench = get_object_or_404(Benchmark_Product.objects.filter(product=product), id=bench_id)
if field in {

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten
Copy link
Copy Markdown
Member

valentijnscholten commented Mar 2, 2026

Are there some lines that describe what this PR does? I can see it exposes some extra data depending on users permissions. But it also changes some existing permission checks?

@Maffooch
Copy link
Copy Markdown
Contributor

Maffooch commented Mar 2, 2026

@valentijnscholten I have added a description to the PR

@Maffooch Maffooch merged commit 1267c72 into DefectDojo:bugfix Mar 2, 2026
147 of 148 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@rossops rossops rossops approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@Jino-T Jino-T Awaiting requested review from Jino-T

Assignees

No one assigned

Labels

apiv2 unittests

Projects

None yet

Milestone

2.56.0

Development

Successfully merging this pull request may close these issues.

5 participants

@devGregA @valentijnscholten @Maffooch @rossops @blakeaowens