Skip to content

enhance/normalize EDITABLE_MITIGATED_DATA handling #13303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 4, 2025
Merged

enhance/normalize EDITABLE_MITIGATED_DATA handling #13303

merged 5 commits into from
Oct 4, 2025

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Oct 2, 2025
edited
Loading

Fixes #6078

I thought it would be nice to allow the Finding API to accept mitigated and mitigated_by values for super users and when settings.EDITABLE_MITIGATED_DATA was True.

This PR adds that. It also normalizes the check in all place.

Two notes:

  • The Close Finding UI form did not allow setting these fields at all. Now it does if the setting is enabled and the user is a superuser.
  • The Close Finding API allowed non-superusers to modify the mitigated timestamp field if the EDITABLE_MITIGATED_DATA was enabled. Not sure if this was intentional, but this PR now guards that field by the same central helper method. So only superusers can set if and EDITABLE_MITIGATED_DATA must be enabled. Is this oké?
  • The Close Finding UI and API have this missing note types functionality. I don't fully understand it, but this PR now allows superusers to create findings that are mitigated and do not have any notes. Is this oké?

It looked like a simple change at first, but these inconsistencies made it hard to find out what is/was the intended behaviour. Do we want to allow creation and updating of findings as mitigated without doing the close finding api call?

Users can do this in the Edit Finding feature of the UI, so I think it should be supported in the API as well.

@valentijnscholten valentijnscholten added this to the 2.51.0 milestone Oct 2, 2025
@github-actions github-actions bot added the apiv2 label Oct 2, 2025
@valentijnscholten valentijnscholten marked this pull request as draft October 2, 2025 18:58
@valentijnscholten valentijnscholten marked this pull request as ready for review October 2, 2025 19:20
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 2, 2025
edited
Loading

DryRun Security

This pull request exposes internal configuration details in API validation error messages by returning the flag name EDITABLE_MITIGATED_DATA=false in responses (reported in dojo/api_v2/serializers.py at two locations), which risks information disclosure that could aid attackers. Reviewers should remove or sanitize the flag from error messages to avoid leaking internal state.

Information Disclosure via Error Message in dojo/api_v2/serializers.py
Vulnerability Information Disclosure via Error Message
Description The application's API returns a validation error message that explicitly includes the name of an internal configuration flag, EDITABLE_MITIGATED_DATA=false. This exposes internal system details to the client, which can aid an attacker in understanding the application's configuration and internal logic.

django-DefectDojo/dojo/api_v2/serializers.py

Lines 1786 to 1789 in 5f86e14

errors["mitigated"] = ["Editing mitigated timestamp is disabled (EDITABLE_MITIGATED_DATA=false)"]
if ("mitigated_by" in data) and (data.get("mitigated_by") is not None):
errors["mitigated_by"] = ["Editing mitigated_by is disabled (EDITABLE_MITIGATED_DATA=false)"]
if errors:

Information Disclosure via Error Message in dojo/api_v2/serializers.py
Vulnerability Information Disclosure via Error Message
Description The application's API error messages explicitly reveal an internal configuration setting (EDITABLE_MITIGATED_DATA=false). This provides unnecessary internal system details to API consumers, which could aid an attacker in understanding the system's configuration and potentially inform further reconnaissance or exploitation efforts.

django-DefectDojo/dojo/api_v2/serializers.py

Lines 1940 to 1943 in 5f86e14

errors["mitigated"] = ["Editing mitigated timestamp is disabled (EDITABLE_MITIGATED_DATA=false)"]
if ("mitigated_by" in data) and (data.get("mitigated_by") is not None):
errors["mitigated_by"] = ["Editing mitigated_by is disabled (EDITABLE_MITIGATED_DATA=false)"]
if errors:

All finding details can be found in the DryRun Security Dashboard.

@Maffooch
Copy link
Contributor

Maffooch commented Oct 2, 2025

I think this is a fine approach - one tests as passing, I'll approve

@Maffooch Maffooch requested review from Jino-T and blakeaowens October 3, 2025 19:21
mtesauro
mtesauro approved these changes Oct 3, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 89ac05a into DefectDojo:dev Oct 4, 2025
148 of 149 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees

No one assigned

Labels

apiv2 unittests

Projects

None yet

Milestone

2.51.0

Development

Successfully merging this pull request may close these issues.

5 participants

@valentijnscholten @Maffooch @mtesauro @Jino-T @blakeaowens