Add null check for engagement in permission validation #13832
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Maffooch
added
the
affects_pro
|
This pull request introduces a potential authorization bypass: Risk_Acceptance objects can exist without an associated Engagement, and when that happens the permission check falls back to global permissions, allowing users with global rights to access or modify risk acceptances that should be subject to product/engagement-level controls.
Authorization Bypass in Risk Acceptance in
|
| Vulnerability | Authorization Bypass in Risk Acceptance |
|---|---|
| Description | The Risk_Acceptance model's engagement property can return None if a Risk_Acceptance object is not associated with any Engagement. The API endpoint /api/v2/accepted_findings/accept_risks/ allows the creation of Risk_Acceptance objects. These objects are associated with Finding objects, but not directly with an Engagement at the time of creation. The AcceptedFindingsMixin iterates through authorized engagements and calls engagement.accept_risks(accepted), which adds the Risk_Acceptance to the engagement's ManyToMany field. However, if a Risk_Acceptance is created and then later disassociated from all engagements (or if the initial association fails for some reason), it would exist without an engagement. In such a scenario, the permission check in user_has_permission for Risk_Acceptance objects would fall back to user_has_global_permission. This means a user with global permissions could access a Risk_Acceptance object that is not tied to any specific product/engagement, bypassing the intended granular product-level permission check. |
django-DefectDojo/dojo/authorization/authorization.py
Lines 103 to 105 in ebce671
All finding details can be found in the DryRun Security Dashboard.
valentijnscholten
approved these changes
Dec 6, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement a null check for the engagement object in the permission validation for Risk Acceptance to prevent potential errors when accessing its properties. This change enhances the robustness of the permission checking logic.
[sc-12218]