Skip to content

Fix DojoGroupSerializer to handle empty permissions list#13447

Merged
Maffooch merged 2 commits intobugfixfrom
dojo-groups-edit-config-perms
Oct 17, 2025
Merged

Fix DojoGroupSerializer to handle empty permissions list#13447
Maffooch merged 2 commits intobugfixfrom
dojo-groups-edit-config-perms

Conversation

@Maffooch
Copy link
Contributor

@Maffooch Maffooch commented Oct 17, 2025

Update the DojoGroupSerializer to clear permissions when an empty list is provided, ensuring proper handling of permission updates.

@Maffooch Maffooch requested a review from mtesauro as a code owner October 17, 2025 01:11
@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 17, 2025
edited
Loading

DryRun Security

This pull request introduces a change that allows a user with standard Permissions.Group_Edit on a given group to clear all group permissions by submitting an empty auth_group.permissions list, effectively enabling denial-of-service for group members because there is no elevated/explicit permission check for this sensitive action. It recommends adding a stricter authorization check (or separate permission) for clearing all permissions to prevent misuse.

Authorization flaw allowing group permission clearing in dojo/api_v2/serializers.py
Vulnerability Authorization flaw allowing group permission clearing
Description The patch introduces a mechanism to clear all group permissions if an empty list is provided in the auth_group.permissions field. The authorization logic for updating a group (via DojoGroupViewSet and UserHasDojoGroupPermission) only checks for Permissions.Group_Edit. This means any user with Permissions.Group_Edit on a specific group can send a request to clear all permissions for that group, leading to a denial of service for its members. There is no specific, elevated permission check for the sensitive action of clearing all group permissions.

django-DefectDojo/dojo/api_v2/serializers.py

Lines 731 to 732 in 29a44ab

if isinstance(permissions_in_payload, list) and len(permissions_in_payload) == 0:
instance.auth_group.permissions.clear()

All finding details can be found in the DryRun Security Dashboard.

@mtesauro mtesauro requested a review from blakeaowens October 17, 2025 01:13
mtesauro
mtesauro approved these changes Oct 17, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro requested a review from Jino-T October 17, 2025 01:14
@github-actions github-actions bot added the apiv2 label Oct 17, 2025
@Maffooch Maffooch added this to the 2.51.2 milestone Oct 17, 2025
@Maffooch Maffooch merged commit 9c35b78 into bugfix Oct 17, 2025
151 checks passed
@Maffooch Maffooch deleted the dojo-groups-edit-config-perms branch October 17, 2025 16:43
Maffooch added a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@Maffooch
Fix DojoGroupSerializer to handle empty permissions list (DefectDojo#…
98cd98d 
…13447)

* fix(serializers): Update DojoGroupSerializer to handle empty permissions list

* Accommodate the UserSerializer as well
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees

No one assigned

Labels

apiv2

Projects

None yet

Milestone

2.51.2

Development

Successfully merging this pull request may close these issues.

5 participants

@Maffooch @mtesauro @valentijnscholten @Jino-T @blakeaowens