Skip to content

Validate consistency between ID-based and name-based identifiers in import/reimport#14636

Open
Jino-T wants to merge 3 commits intoDefectDojo:bugfixfrom
Jino-T:reimport-change
Open

Validate consistency between ID-based and name-based identifiers in import/reimport#14636
Jino-T wants to merge 3 commits intoDefectDojo:bugfixfrom
Jino-T:reimport-change

Conversation

@Jino-T
Copy link
Copy Markdown
Contributor

@Jino-T Jino-T commented Apr 3, 2026
edited by Maffooch
Loading

  • Add validation in the import and reimport permission checks to ensure that when both ID-based
    identifiers (e.g. test, engagement) and name-based identifiers (e.g. product_name, engagement_name) are
    provided, they refer to the same objects
  • Add defense-in-depth checks in AutoCreateContextManager to reject conflicting resolution paths at the
    target lookup layer
  • Add tests covering the new validation behavior

@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. apiv2 labels Apr 3, 2026
@Maffooch @claude
Fix reimport-scan API authorization bypass via conflicting identifiers
985e0b8 
Validate that ID-resolved objects (test, engagement) are consistent with
name-based identifiers (product_name, engagement_name) in both the
permission check layer and the AutoCreateContextManager resolution layer.
This prevents an attacker from passing their own engagement/test ID to
satisfy the permission check while using name-based fields to target a
victim's product.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch Maffooch changed the base branch from dev to bugfix April 14, 2026 21:26
@github-actions github-actions bot added unittests and removed New Migration Adding a new migration file. Take care when merging. labels Apr 14, 2026
@Maffooch @claude
Use ID-based comparisons and add engagement_name check to import
92cd890 
- Switch permission checks to use ID comparisons (product_id, engagement_id)
  where resolved objects are available, with name fallback for unresolved cases
- Add engagement_name validation to UserHasImportPermission (was missing)
- Fix ruff string quoting in auto_create_context.py

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch Maffooch changed the title Reimport change Validate consistency between ID-based and name-based identifiers in import/reimport Apr 14, 2026
@Maffooch @claude
Strip undeclared engagement field in reimport permission check
6dd70f8 
The engagement field is not declared on ReImportScanSerializer and gets
stripped during validation. The permission check must also strip it so it
resolves targets the same way execution does — by name, not by a stale
engagement ID from request.data.

Update test to verify the engagement param is ignored and permission is
checked against the name-resolved target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch Maffooch marked this pull request as ready for review April 14, 2026 22:32
@Maffooch Maffooch requested a review from mtesauro as a code owner April 14, 2026 22:32
@Maffooch Maffooch added this to the 2.57.2 milestone Apr 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@valentijnscholten valentijnscholten Awaiting requested review from valentijnscholten

@paulOsinski paulOsinski Awaiting requested review from paulOsinski

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

apiv2 unittests

Projects

None yet

Milestone

2.57.2

Development

Successfully merging this pull request may close these issues.

2 participants

@Jino-T @Maffooch