fix(explorer): only return active projects #103434
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -259,15 +259,19 @@ def get_organization_slug(*, org_id: int) -> dict: | |
|
|
||
|
|
||
| def get_organization_project_ids(*, org_id: int) -> dict: | ||
| """Get all active projects (IDs and slugs) for an organization""" | ||
| from sentry.models.project import Project | ||
|
|
||
| try: | ||
| organization = Organization.objects.get(id=org_id) | ||
| except Organization.DoesNotExist: | ||
| return {"projects": []} | ||
|
|
||
| projects = list( | ||
| Project.objects.filter(organization=organization, status=ObjectStatus.ACTIVE).values( | ||
| "id", "slug" | ||
| ) | ||
|
Comment on lines
+271
to
+273
There was a problem hiding this comment. High severity vulnerability may affect your project—review required: ℹ️ Why this mattersAffected versions of Django are vulnerable to Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). SQL injection in Django's ORM column aliases: when using QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), or QuerySet.extra() with dictionary expansion (**kwargs), the dictionary keys are used unescaped as SQL column aliases. On MySQL and MariaDB backends, an attacker who can influence those keys (for example, by passing a crafted dict of annotations) can inject arbitrary SQL into the generated query. To resolve this comment:
💬 Ignore this findingTo ignore this, reply with:
You can view more details on this finding in the Semgrep AppSec Platform here. |
||
| ) | ||
|
|
||
| return {"projects": projects} | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical severity and reachable issue identified in your code:
Line 271 has a vulnerable usage of django, introducing a critical severity vulnerability.
ℹ️ Why this is reachable
A reachable issue is a real security risk because your project actually executes the vulnerable code. This issue is reachable because your code uses a certain version of django.
Affected versions of django are vulnerable to Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). The ORM methods QuerySet.filter(), QuerySet.exclude(), QuerySet.get() and the Q() class can be tricked into SQL injection when you pass a specially crafted dictionary via **kwargs that includes a malicious
_connectorentry. This bypasses the normal query parameterization and lets an attacker inject arbitrary SQL into the WHERE clause.References: GHSA, CVE
To resolve this comment:
Upgrade this dependency to at least version 5.2.8 at uv.lock.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasonsYou can view more details on this finding in the Semgrep AppSec Platform here.