Ruff: Fix N805

[kiblik]

Fix N805 by making methods static or implementing them correctly.

[dryrunsecurity]

This pull request introduces a potential authorization bypass in which the rate-limiting decorator can cause enable_force_password_reset to be invoked by unauthenticated attackers: by repeatedly attempting logins for different valid usernames an attacker can trigger the rate limit and force password reset for those accounts, effectively enabling denial-of-service and unauthorized security actions on other users' accounts.

Potential Authorization Bypass on Password Reset Flag in dojo/models.py

Vulnerability

Potential Authorization Bypass on Password Reset Flag

Description

The enable_force_password_reset method, when called from the rate-limiting decorator in dojo/decorators.py, can be triggered by an unauthenticated attacker. By repeatedly attempting to log in with different valid usernames, an attacker can cause the rate limit to be hit for those users, thereby forcing them to reset their passwords. This constitutes a denial of service for legitimate users and an authorization bypass, as an attacker can force a security action on another user's account without proper authorization.

django-DefectDojo/dojo/models.py

Lines 231 to 245 in e84f748

	def force_password_reset(user):
	return hasattr(user, "usercontactinfo") and user.usercontactinfo.force_password_reset
	def disable_force_password_reset(self):
	if hasattr(self, "usercontactinfo"):
	self.usercontactinfo.force_password_reset = False
	self.usercontactinfo.save()
	def enable_force_password_reset(self):
	if hasattr(self, "usercontactinfo"):
	self.usercontactinfo.force_password_reset = True
	self.usercontactinfo.save()
	@staticmethod
	def generate_full_name(user):

---

All finding details can be found in the DryRun Security Dashboard.

[mtesauro]

Approved

[valentijnscholten]

@kiblik would it make sense to double check the (force) change password still works?

[mtesauro]

@kiblik would it make sense to double check the (force) change password still works?

Great point @valentijnscholten I really doubt we have a test for that flow.

[kiblik]

@kiblik would it make sense to double check the (force) change password still works?

Well, I had not been able to test enable_force_password_reset in dojo_ratelimit (doing local DOS attack is possible but not sure if I need to go that far with testing).
But I tried to change value force_password_reset manually and disable_force_password_reset in change_password was working as expected (after sucessful change of password, value was cleaned).