pghistory: add context for each process and celery tasks #13988
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
valentijnscholten
force-pushed
the
pghistory-contexts
branch
from
f93b22b to
5afe3c0
Compare
valentijnscholten
changed the title
Maffooch
approved these changes
Dec 29, 2025
blakeaowens
approved these changes
Dec 29, 2025
🔴 Risk threshold exceeded.This pull request includes sensitive edits to dojo/api_v2/views.py and introduces a potential IDOR in dojo/finding/views.py where finding_bulk_update_all filters Finding by user-supplied IDs without scoping to the authenticated user's permitted findings, allowing unauthorized access or modification of other users' findings.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🟡 Potential IDOR Vulnerability in dojo/finding/views.py
| Vulnerability | Potential IDOR Vulnerability |
|---|---|
| Description | The function finding_bulk_update_all retrieves Finding objects using user-supplied IDs from request.POST.getlist("finding_to_update") via Finding.objects.filter(id__in=finding_to_update). This query is not scoped to the authenticated user's authorized findings (e.g., via ownership or product permissions), allowing a low-privilege user to fetch and potentially modify findings belonging to products they do not have access to, thus creating an Insecure Direct Object Reference (IDOR) vulnerability. |
django-DefectDojo/dojo/finding/views.py
Lines 2566 to 2568 in a22093e
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Jino-T
approved these changes
Dec 29, 2025
valentijnscholten
added a commit
to valentijnscholten/django-DefectDojo
that referenced
this pull request
Dec 29, 2025
…13988) * pghistory: add context for each process * pghistory: pass on context to celery tasks * support vue as source --------- Co-authored-by: Valentijn Scholten <valentijn.scholten@iodigital.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds context to each high level process, i.e. import, reimport, async_dedupe_delete, etc.
Context now looks like this:
With pghistory you cannot nest contexts. If you nest them, they will just get merged. Data in the "child" context will overwrite data in the existing ("parent") context. This means we cannot set context data for "subprocesses" like close_old_findings or deduplication. We only set the context at the UI/API/COMMAND entrypoints with a
sourcefield.This PR also propagates pghistory contexts to celery tasks. This will have all async tasks during import grouped under one import context instead of no context.