DefectDojo
Improve cvssv3 validation
Although it's not fully clear "what the problem is" reported in #8264 , we want to stop using the regex for validation and use the cvss library in a validator. This PR updates the validator on the model and updates the test cases to reflect the new behaviour. The new behaviour is better:
- When saving via API or UI invalid vectors are recjted. (2 vectors, v3 vectors without a prefix, v3 vectors with a trailing slash, v4 vectors, ...)
- When
Finding.save()is called, no validation is perfrmed by Django. So we have make sure the parsers only store valid vectors.
I updated the parsers that did not yet follow the guidelines in docs/content/en/open_source/contributing/how-to-write-a-parser.md. I considered:
- adding a
set_data_from_cvss_string(...)to the Finding model - adding code to
Finding.save()to validate/parse the vector string
But in the end I went for a helper method in dojo.utils to parse the CVSS vector. This way we have the parsing logic in one central place and the parsers can decide which of the 3 parsed fields they want to use on the model (vector, score, severity). The logic is also failsafe, invalid vectors result in empty cvss fields but won't cause the import to fail.
Remaining questions:
- Do we want to keep the logic in place in
Finding.save()that sets (overwrites) thecvssv3_scoreif a valid vector is set? (I think for now YES) - What to we do when
Finding.save()encounters an invalid vector incvssv3. Should we clear the vector before saving? (I think for now NO) - Do we want to make sure all parsers use the same/new parse function? (I think for now NO as long as they parse the vector correctly)
Risks:
- The parsers are fail-safe, but users submitting invalid CVSSv3 vectors through the API may run into HTTP_400 validation errors. But I'm not sure if that is a bad thing?
Feedback welcome. I also think this is a nice preparation for when we want to support CVSS4 vectors.
This pull request has conflicts, please resolve those before we can evaluate the pull request.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Conflicts have been resolved. A maintainer will review the pull request shortly.
This pull request reveals multiple security vulnerabilities across different files, including potential denial of service risks from CVSS parsing, command injection in a unittest script, information disclosure through logging, and inconsistent vulnerability scoring that could misrepresent security severity.
:warning: Potential Malicious Input Processing in dojo/tools/npm_audit_7_plus/parser.py
| Vulnerability | Potential Malicious Input Processing |
|---|---|
| Description | Multiple parsers (Aqua, npm audit, JFrog Xray) introduce parsing of external, untrusted CVSS vector data using parse_cvss_data. While the function is likely designed to be robust, processing external input without comprehensive validation could lead to unexpected behavior or resource consumption issues if the input is maliciously crafted. |
https://github.com/DefectDojo/django-DefectDojo/blob/1a522af41f47c4baa92fcb37379f6fd2da5b9410/dojo/tools/npm_audit_7_plus/parser.py#L3-L9
:warning: CVSS Score Inconsistency in dojo/tools/qualys/parser.py
| Vulnerability | CVSS Score Inconsistency |
|---|---|
| Description | In the Qualys parser, the code unconditionally overwrites the CVSSv3 score derived from the vector with a potentially different CVSS_value. This could lead to incorrect severity representation if the scores from different sources (v2 vs v3) are mixed, potentially misrepresenting the true vulnerability severity. |
https://github.com/DefectDojo/django-DefectDojo/blob/1a522af41f47c4baa92fcb37379f6fd2da5b9410/dojo/tools/qualys/parser.py#L8-L14
:warning: Potential Denial of Service via CVSS Parsing in dojo/utils.py
| Vulnerability | Potential Denial of Service via CVSS Parsing |
|---|---|
| Description | The parse_cvss_data function in dojo/utils.py passes cvss_vector_string directly to cvss.parser.parse_cvss_from_text without input validation. A maliciously crafted CVSS vector string could potentially cause excessive resource consumption during parsing, leading to a denial of service condition. |
https://github.com/DefectDojo/django-DefectDojo/blob/1a522af41f47c4baa92fcb37379f6fd2da5b9410/dojo/utils.py#L15-L32
:warning: Information Disclosure via Logging in dojo/validators.py
| Vulnerability | Information Disclosure via Logging |
|---|---|
| Description | The tag_validator and cvss3_validator functions log user-controlled input directly, which could expose sensitive details or aid attacker reconnaissance. Specifically, logger.error("cvss3_validator called with value: %s", value) and the error message construction in tag_validator embed unvalidated user input in log messages and error responses. |
https://github.com/DefectDojo/django-DefectDojo/blob/1a522af41f47c4baa92fcb37379f6fd2da5b9410/dojo/validators.py#L1-L53
:warning: Command Injection Risk in run-unittest.sh
| Vulnerability | Command Injection Risk |
|---|---|
| Description | The run-unittest.sh script executes a shell command using the user-controlled $TEST_CASE variable without proper sanitization. An attacker could manipulate the TEST_CASE input to inject arbitrary shell commands, potentially leading to remote code execution. The command docker compose exec uwsgi bash -c "python manage.py test $TEST_CASE -v2 --keepdb" directly interpolates user input into a shell command without escaping. |
https://github.com/DefectDojo/django-DefectDojo/blob/1a522af41f47c4baa92fcb37379f6fd2da5b9410/run-unittest.sh#L51-L57
All finding details can be found in the DryRun Security Dashboard.
![dryrunsecurity[bot] avatar](https://avatars.githubusercontent.com/in/377039?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request has conflicts, please resolve those before we can evaluate the pull request.
Conflicts have been resolved. A maintainer will review the pull request shortly.
This pull request has conflicts, please resolve those before we can evaluate the pull request.
I will resolve the conflicts after 2.47.3 is release and merged back into dev. There might be more conflicts by then and I don't want to burden the release process with merge conflicts by merging this PR to dev before 2.47.3.
Conflicts have been resolved. A maintainer will review the pull request shortly.
This pull request contains multiple low-risk findings related to CVSS vector parsing, including potential denial of service risks, sensitive input logging, and information disclosure through error messages, though none of the issues are considered blocking or critical.
Potential DoS via CVSS Parsing in dojo/tools/jfrog_xray_unified/parser.py
| Vulnerability | Potential DoS via CVSS Parsing |
|---|---|
| Description | Multiple parsers introduce a utility function parse_cvss_data() which processes untrusted CVSS vector inputs. While the function appears to use a library for parsing, there's a potential risk of resource exhaustion if maliciously crafted CVSS vectors are processed. The parsing occurs in multiple tools like JFrog Xray, Sonatype, and others, increasing the attack surface. |
https://github.com/DefectDojo/django-DefectDojo/blob/15fc291dd25c3c17911a6efb81b36552305d0ba4/dojo/tools/jfrog_xray_unified/parser.py#L2-L8
Logging Sensitive Input in dojo/utils.py
| Vulnerability | Logging Sensitive Input |
|---|---|
| Description | The parse_cvss_data() function in utils.py logs the full CVSS vector string when parsing fails. In a debug or error logging context, this could potentially expose sensitive information if the CVSS vector contains unexpected data. The logging occurs at debug level, which mitigates some risk but doesn't eliminate it completely. |
https://github.com/DefectDojo/django-DefectDojo/blob/15fc291dd25c3c17911a6efb81b36552305d0ba4/dojo/utils.py#L15-L32
Validator Information Disclosure in dojo/validators.py
| Vulnerability | Validator Information Disclosure |
|---|---|
| Description | The validators.py contains error handling that logs and constructs error messages embedding user input. While the input is expected to be CVSS vectors, the direct inclusion of input in error messages could potentially leak implementation details or be used for reconnaissance. |
https://github.com/DefectDojo/django-DefectDojo/blob/15fc291dd25c3c17911a6efb81b36552305d0ba4/dojo/validators.py#L1-L53
All finding details can be found in the DryRun Security Dashboard.