Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting status code on 400/500 errors #10164

Merged
merged 1 commit into from
May 8, 2024
Merged

Setting status code on 400/500 errors #10164

merged 1 commit into from
May 8, 2024

Conversation

cneill
Copy link
Collaborator

@cneill cneill commented May 8, 2024
edited

Description

Because DefectDojo uses a custom error handler for 400/500 errors that does not set a status code, 200 status codes will be returned even when an exception is raised. This means that Django logs those exceptions at the INFO level rather than a more appropriate WARNING / ERROR level. This patch simply sets the status codes to 400/500.

Test results

In my testing, 500 status codes are now returned when exceptions are raised, and those requests are now logged at an ERROR level.

[sc-5912]

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented May 8, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
Sensitive Files Analyzer 0 findings
AppSec Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request are focused on improving the error handling in the Django application. Specifically, the custom_error_view and custom_bad_request_view functions have been updated to ensure that the appropriate HTTP status codes (500 for server-side errors and 400 for bad requests) are being returned.

From an application security perspective, these changes are generally positive as they provide more accurate information to the client and improve the overall user experience. Additionally, the code in the views.py file appears to handle various types of objects (e.g., Product, Engagement, Test, Finding, Endpoint) and their associated permissions, which suggests a well-designed and secure application architecture where access to sensitive data is controlled based on user roles and permissions.

Files Changed:

  • dojo/views.py: The changes in this file are focused on improving the error handling in the Django application. Specifically, the custom_error_view function has been updated to return a 500 HTTP status code, and the custom_bad_request_view function has been updated to return a 400 HTTP status code. These changes ensure that the appropriate error information is being communicated to the client, which can help improve the overall user experience and security of the application.

Powered by DryRun Security

@cneill cneill marked this pull request as draft May 8, 2024 21:54
@cneill cneill marked this pull request as ready for review May 8, 2024 21:55
@Maffooch Maffooch merged commit 7258c9e into DefectDojo:bugfix May 8, 2024
122 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grendel513 grendel513 grendel513 approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@cneill @grendel513 @Maffooch @blakeaowens