Thanks to visit codestin.com
Credit goes to github.com

Skip to content

sla: parse finding.date implicitly #12301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 24, 2025
Merged

sla: parse finding.date implicitly #12301

merged 4 commits into from
Apr 24, 2025

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Apr 23, 2025
edited
Loading

Fixes #12299 introduced in #11924

The old code had parsing in place for parsers that didn't set the finding.date correctly. These parsers provided a str instead of date. This PR ensures this implicit parsing is performed with the simplified SLA logic.

This implicit parsing was tucked away in the _age() method:

django-DefectDojo/dojo/models.py

Lines 3004 to 3007 in 8e7cc01

def _age(self, start_date):
from dateutil.parser import parse
if start_date and isinstance(start_date, str):
start_date = parse(start_date).date()

The unit tests of parsers don't trigger this SLA logic, we'll look to add more checks to the parser unit tests in a future PR.

All affected parsers are now working again:

image

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Apr 23, 2025
edited
Loading

DryRun Security

This pull request involves potential date parsing and validation risks, with observations about flexible date parsing using dateutil and incomplete input validation that could lead to unexpected parsing behavior or security vulnerabilities.

💭 Unconfirmed Findings (3)
Vulnerability Date Parsing Flexibility Risk
Description Using dateutil.parser.parse() allows flexible date parsing but could introduce risks if input is not carefully sanitized, potentially leading to unexpected parsing behavior.
Vulnerability Commented Validation Concern
Description A commented validation block suggests unimplemented input validation, indicating a lack of strict type checking for date inputs and potential vulnerability in date field handling.
Vulnerability Input Validation Testing Observation
Description Test method examines different date input formats, verifying Django validation for datetime strings and implicitly testing potential date parsing vulnerabilities.

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.45.3 milestone Apr 23, 2025
Maffooch
Maffooch requested changes Apr 23, 2025
View reviewed changes
mtesauro
mtesauro approved these changes Apr 23, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit b413437 into DefectDojo:bugfix Apr 24, 2025
77 checks passed
@valentijnscholten valentijnscholten mentioned this pull request May 8, 2025
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@hblankenship hblankenship hblankenship approved these changes

@Maffooch Maffooch Maffooch approved these changes

@manuel-sommer manuel-sommer manuel-sommer approved these changes

Assignees
No one assigned
Labels
unittests
Projects
None yet
Milestone
2.45.3
Development

Successfully merging this pull request may close these issues.
6 participants
@valentijnscholten @mtesauro @dogboat @hblankenship @Maffooch @manuel-sommer