You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Generic Finding Import is capable of importing data from the report that influences the name of the test type and some other fields on the test. This behavior could be expanded to also influence the static_tool and dynamic_tool fields as well.
The following things were added to accomplish this:
Expand the ParserTest class to accommodate the new fields
Rework the dynamic test parser in the importers to allow for fields to be set during import, and overwritten during reimport if fields are supplied
Unit tests at the parser and import/reimport level to cover to above
This pull request reveals multiple security concerns including potential metadata injection risks, dynamic code loading vulnerabilities, expanded attack surfaces through flexible input handling, disabled SSL redirects, and insecure token-based authentication practices that could compromise the application's security if not addressed.
💭 Unconfirmed Findings (5)
Vulnerability
Potential Metadata Injection Risk
Description
In dojo/importers/base_importer.py, new methods update_test_from_internal_test and update_test_type_from_internal_test directly set test and test type attributes from parser-provided metadata without explicit validation. This could allow an attacker to manipulate test metadata if the parser is compromised.
Vulnerability
Potential Dynamic Code Loading Risk
Description
In dojo/tools/parser_test.py, dynamic module loading via importlib based on settings configuration could potentially allow loading of arbitrary classes if PARSER_TEST_CLASS_PATH is not strictly controlled, leading to potential code execution if settings are manipulated.
Vulnerability
Expanded Attack Surface via Kwargs
Description
In dojo/tools/parser_test.py, switching to using *args and **kwargs increases the potential attack surface by allowing more flexible and potentially unvalidated input during class initialization.
Vulnerability
Disabled SSL Redirect
Description
In unittests/test_generic_meta_import.py, settings.SECURE_SSL_REDIRECT is set to False, which could bypass TLS/SSL security redirects during testing and should not be used in production.
Vulnerability
Token-based Authentication Exposure
Description
In unittests/test_generic_meta_import.py, hardcoded admin user token for authentication demonstrates the use of static authentication credentials, which could be a security anti-pattern if adopted in production.
It looks that this PR allow to change test name (in update_test_from_internal_test). But it does nothing with test type.
Am I reading this correctly?
So #10219 would still be in place. Is there any chance to solve it as well?
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generic Finding Import is capable of importing data from the report that influences the name of the test type and some other fields on the test. This behavior could be expanded to also influence the
static_toolanddynamic_toolfields as well.The following things were added to accomplish this:
ParserTestclass to accommodate the new fields[sc-11026]