🎉 implement new threatmapper file format #13639 #13655
Conversation
|
This pull request includes a finding that the malware CSV parsing functions in dojo/tools/deepfence_threatmapper/malware.py access multiple header keys without sufficient existence checks, which can raise an unhandled KeyError when expected headers (e.g., 'File Name', 'Summary', 'Severity') are missing and potentially expose stack traces or internal details. Although calling code performs some initial checks, the lack of comprehensive key validation or a higher-level try/except makes the code vulnerable to information disclosure on malformed input.
Information Disclosure via Unhandled Key Error in
|
| Vulnerability | Information Disclosure via Unhandled Key Error |
|---|---|
| Description | The _parse_old_format and _parse_new_format methods in dojo/tools/deepfence_threatmapper/malware.py access multiple keys from the headers dictionary without comprehensive checks for their existence. While the calling code in parser.py and the get_findings method in malware.py perform initial checks for a few critical headers, these checks are insufficient to guarantee the presence of all keys subsequently accessed within the parsing functions. If a malformed input CSV file is processed where a required header (e.g., 'File Name', 'Summary', 'Severity') is missing, a KeyError will be raised. Without a higher-level try...except block to handle this specific exception, it could lead to an unhandled exception, potentially exposing sensitive stack traces or internal system details in error messages or logs. |
django-DefectDojo/dojo/tools/deepfence_threatmapper/malware.py
Lines 45 to 47 in 9d9c0ea
All finding details can be found in the DryRun Security Dashboard.
|
Nice! is there an estimate on when these changes will be reflected? will we get this fix on the new minor or further down the line? |
|
on the next release, so upcomming monday they should be live @shodanwashere |
6 participants
#13639