Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow multiple single-use notes on a single object #11306

Merged
merged 2 commits into from
Dec 3, 2024

Conversation

hblankenship
Copy link
Collaborator

[sc-6050]

Returns a BAD_REQUEST status and an error message when attempting to POST a note with a Note Type of 'is_single' - if another Note with that Note Type already exists on the given object (finding, engagement, test).

@github-actions github-actions bot added the apiv2 label Nov 21, 2024
Copy link

dryrunsecurity bot commented Nov 21, 2024

DryRun Security Summary

The code change in this pull request implements a new feature that restricts the creation of multiple instances of a specific note type on an engagement, finding, or test, which is a security-focused improvement to the Defect Dojo application.

Expand for full summary

Summary:

The code change in this pull request appears to be a security-focused improvement to the Defect Dojo application. The key change is the implementation of a new feature that restricts the creation of multiple instances of a specific note type on an engagement, finding, or test. This change is likely an application security enhancement to prevent users from accidentally creating multiple instances of certain note types, which could lead to confusion or unintended behavior in the application.

From an application security perspective, this change is a positive step, as it helps to enforce data integrity and consistency within the application. By restricting the creation of multiple instances of specific note types, the application reduces the risk of data inconsistency and potential security vulnerabilities that could arise from such inconsistencies. Overall, this code change appears to be a well-considered improvement to the Defect Dojo application, with a focus on enhancing the application's security and data integrity.

Files Changed:

  • dojo/api_v2/views.py: This file has been updated to include a new check in the notes action of the EngagementViewSet, FindingViewSet, and TestsViewSet. The check ensures that only one instance of a note type with the is_single flag set to True can be created on the respective object. If an attempt is made to create a second instance of a note type marked as is_single, the API will return a 400 Bad Request response with an appropriate error message.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 0882320 into bugfix Dec 3, 2024
75 checks passed
@Maffooch Maffooch deleted the hb-disallow-multiple-singleuse-note-type branch December 3, 2024 16:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants