Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Object File Uploads: Add validations and download functionality #10183

Merged
merged 1 commit into from
May 13, 2024
Merged

Object File Uploads: Add validations and download functionality #10183

merged 1 commit into from
May 13, 2024

Conversation

Maffooch
Copy link
Contributor

@Maffooch Maffooch commented May 10, 2024
edited
Loading

When using the API to upload files, it was noticed that FILE_UPLOAD_TYPES settings was not being enforced. This PR adds enforcement of this setting. Additionally, these files should be downloaded to disk rather than being rendered by the browser

[sc-5953]

@dryrunsecurity DryRunSecurity
Copy link

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
Sensitive Files Analyzer 0 findings
AppSec Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request focus on improving the security of file handling and download functionality
across various templates and serializers in the Defect Dojo application. The key security-related changes are:

  1. File Download Functionality: The changes in the dojo/templates/dojo/view_eng.html and dojo/templates/dojo/view_finding.html files add the download attribute to the file download links. This is a positive security improvement as it prompts the user to download the file instead of automatically opening it, reducing the risk of potential security vulnerabilities associated with file execution.

  2. File Upload Validation: The changes in the dojo/forms.py file introduce a validation step to ensure that only files with approved extensions can be uploaded through the form. This helps to prevent the upload of potentially malicious files, which could lead to security vulnerabilities if processed by the application.

  3. File Attachment Handling: The change in the dojo/templates/dojo/view_test.html file adds the target="_blank" attribute to the file attachment download links. While this can improve the user experience, it may also introduce potential security risks related to the execution of malicious content within the file attachments. It is important to ensure that the file attachments are properly sanitized and validated before being served to the user.

  4. API Serializer Changes: The changes in the dojo/api_v2/serializers.py file include the addition of a validate method to the FileSerializer class, which checks the file extension of the uploaded file and ensures that it is one of the valid file extensions specified in the application's settings. This is a crucial security measure to prevent the upload of potentially malicious files through the API.

Overall, these code changes demonstrate a security-focused approach to improving the application's file handling and download functionality, which is an important aspect of web application security.

Files Changed:

  • dojo/templates/dojo/view_eng.html: The change adds the download attribute to the <a> tag that links to the file, which is a positive security improvement.
  • dojo/templates/dojo/view_finding.html: The change adds the download attribute to the link that allows users to download the file associated with a finding, which is also a security-conscious change.
  • dojo/forms.py: The changes in this file update the clean() method of the BaseManageFileFormSet class to validate the file extensions of the uploaded files, preventing the upload of potentially malicious files.
  • dojo/templates/dojo/view_test.html: The change adds the target="_blank" attribute to the file attachment download links, which may introduce potential security risks related to the execution of malicious content within the file attachments.
  • dojo/api_v2/serializers.py: The most notable change is the addition of a validate method to the FileSerializer class, which checks the file extension of the uploaded file and ensures that it is one of the valid file extensions specified in the application's settings. This is an important security measure for the API.

Powered by DryRun Security

mtesauro
mtesauro approved these changes May 13, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@cneill cneill merged commit 3cff053 into DefectDojo:bugfix May 13, 2024
122 checks passed
@Maffooch Maffooch deleted the files branch July 16, 2024 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grendel513 grendel513 grendel513 approved these changes

@cneill cneill cneill approved these changes

@mtesauro mtesauro mtesauro approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees
No one assigned
Labels
apiv2 bugfix ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Maffooch @grendel513 @cneill @mtesauro @blakeaowens