Ruff: Fix PLC2701 + merge PLC#13436
Merged
Maffooch merged 1 commit intoDefectDojo:devfrom Oct 17, 2025
Merged
Conversation
|
This pull request introduces model copy utilities that by default duplicate all fields and lack built-in authorization checks, so sensitive fields (credentials, PII, internal details) can be unintentionally copied and users with read access might create full copies they shouldn’t be able to, leading to potential information disclosure and access-control bypass.
Information Disclosure via Model Copying in
|
| Vulnerability | Information Disclosure via Model Copying |
|---|---|
| Description | The copy_model_util function, when called without specifying exclude_fields, copies all fields from a model instance to a new one. Several copy methods in dojo/models.py use this utility without excluding potentially sensitive fields. This means that if a model contains sensitive data (e.g., internal network details, credentials, PII), this data will be duplicated into the new instance. If the copied instance is then accessible to unauthorized users or users with lower privileges, it can lead to information disclosure. |
django-DefectDojo/dojo/models.py
Lines 132 to 135 in ac2874e
Missing Authorization Checks in Model Copy Operations in dojo/models.py
| Vulnerability | Missing Authorization Checks in Model Copy Operations |
|---|---|
| Description | The copy_model_util function and the model-specific copy methods that utilize it (e.g., for NoteHistory, Engagement, Finding) do not include any authorization checks. This means that if these copy methods are invoked from any part of the application without explicit, robust authorization checks at the call site, a user could potentially bypass access controls. A user with read access to an object might be able to create a full copy of it, gaining ownership or access to data they were not authorized to create or fully access in the original context. |
django-DefectDojo/dojo/models.py
Lines 132 to 135 in ac2874e
All finding details can be found in the DryRun Security Dashboard.
Maffooch
approved these changes
Oct 17, 2025
valentijnscholten
approved these changes
Oct 17, 2025
Jino-T
approved these changes
Oct 17, 2025
Maffooch
pushed a commit
to valentijnscholten/django-DefectDojo
that referenced
this pull request
Feb 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If functions are not only for private use, they should not use a private naming convention. Applies to:
_get_prefetchable_fields_copy_model_utilRegarding
from hyperlink._url import SCHEME_PORT_MAP, there is no known better alternative.