Skip to content

Fix DojoGroupSerializer to handle empty permissions list #13447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 17, 2025
Merged

Fix DojoGroupSerializer to handle empty permissions list #13447

merged 2 commits into from
Oct 17, 2025

Conversation

@Maffooch
Copy link
Contributor

@Maffooch Maffooch commented Oct 17, 2025

Update the DojoGroupSerializer to clear permissions when an empty list is provided, ensuring proper handling of permission updates.

@Maffooch Maffooch requested a review from mtesauro as a code owner October 17, 2025 01:11
@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 17, 2025
edited
Loading

DryRun Security

This pull request introduces a change that allows a user with standard Permissions.Group_Edit on a given group to clear all group permissions by submitting an empty auth_group.permissions list, effectively enabling denial-of-service for group members because there is no elevated/explicit permission check for this sensitive action. It recommends adding a stricter authorization check (or separate permission) for clearing all permissions to prevent misuse.

Authorization flaw allowing group permission clearing in dojo/api_v2/serializers.py
Vulnerability Authorization flaw allowing group permission clearing
Description The patch introduces a mechanism to clear all group permissions if an empty list is provided in the auth_group.permissions field. The authorization logic for updating a group (via DojoGroupViewSet and UserHasDojoGroupPermission) only checks for Permissions.Group_Edit. This means any user with Permissions.Group_Edit on a specific group can send a request to clear all permissions for that group, leading to a denial of service for its members. There is no specific, elevated permission check for the sensitive action of clearing all group permissions.

django-DefectDojo/dojo/api_v2/serializers.py

Lines 731 to 732 in 29a44ab

if isinstance(permissions_in_payload, list) and len(permissions_in_payload) == 0:
instance.auth_group.permissions.clear()

All finding details can be found in the DryRun Security Dashboard.

@mtesauro mtesauro requested a review from blakeaowens October 17, 2025 01:13
mtesauro
mtesauro approved these changes Oct 17, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro requested a review from Jino-T October 17, 2025 01:14
@github-actions github-actions bot added the apiv2 label Oct 17, 2025
@Maffooch Maffooch added this to the 2.51.2 milestone Oct 17, 2025
@Maffooch Maffooch merged commit 9c35b78 into bugfix Oct 17, 2025
151 checks passed
@Maffooch Maffooch deleted the dojo-groups-edit-config-perms branch October 17, 2025 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees

No one assigned

Labels

apiv2

Projects

None yet

Milestone

2.51.2

Development

Successfully merging this pull request may close these issues.

6 participants

@Maffooch @mtesauro @valentijnscholten @Jino-T @blakeaowens