Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow sorting endpoints by ID #11228

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Allow sorting endpoints by ID #11228

wants to merge 1 commit into from

Conversation

fopina
Copy link

@fopina fopina commented Nov 10, 2024

This allows sorting endpoints by ID, both in UI and API.

The UI doesn't have any ID column, so it's not click-accessible, however advanced user can still make use of it via o= in the URL.

Motivation is that we do not have a "created" date field in endpoints, in order to find the latest additions.

Sorting by ID (descending in this use case) is a good alternative and less impactful than adding a new date field to the model.

Also adding a small fix in the endpoint list template: when endpoints lose the "product" (not sure how it happens but it did), we're not even able to "see" them as the app would break. Even if there are many more templates that also break, this is the one that lists the endpoints and it already flags "broken" endpoints anyway (though it was not possible to see that flag before this small change).
Let me know if should remove this latest change from this PR.

@fopina
allow sorting endpoints by ID
891f199 
also mini-fix to allow paginating over endpoints if any is broken (missing product)
@github-actions github-actions bot added the ui label Nov 10, 2024
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request focuses on improving the functionality and security of the "Endpoints" page, including access control checks, XSS mitigation, and bulk update capabilities, as well as introducing new filters in the dojo/filters.py file to enhance the filtering capabilities across various models in the Defect Dojo application.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the functionality and security of the "Endpoints" page in the Dojo application, as well as enhancing the filtering capabilities across various models in the Defect Dojo application.

For the "Endpoints" page, the changes include improvements to the display of product information, access control checks to prevent unauthorized actions, and the use of the url_shortener filter to mitigate potential XSS vulnerabilities. Additionally, the code includes functionality for deleting endpoints and performing bulk updates, which should be carefully reviewed to ensure proper authentication, authorization, and protection against potential security issues like CSRF attacks.

The changes to the dojo/filters.py file introduce a range of new filters, including EndpointFilterHelper, ApiEngagementFilter, ProductFilterHelper, FindingFilterHelper, and EngagementTestFilterHelper. These filters leverage the django-filters library to provide users with the ability to search and filter security-related data, such as findings, tests, and engagements. This functionality is crucial for effectively managing and analyzing application security data, and the filters include support for features like risk acceptance and SLA tracking, which are important for maintaining the overall security posture of the application.

Files Changed:

  1. dojo/templates/dojo/endpoints.html:

    • The changes ensure that product information is only displayed if the e.product is not None, which helps avoid potential errors or unexpected behavior.
    • The code checks the user's permissions before displaying certain actions, such as "New Endpoint" and "Bulk Mitigate", to prevent unauthorized access.
    • The code uses the url_shortener filter to display the endpoint URLs, which helps mitigate potential XSS vulnerabilities.
    • The code includes functionality to delete endpoints, both individually and in bulk, which should be carefully reviewed to ensure proper authentication and authorization.
    • The "Bulk Mitigate" functionality allows users to update the status of multiple endpoints at once, and should be reviewed for potential security issues like CSRF attacks.

  2. dojo/filters.py:

    • The changes introduce several new filters, including EndpointFilterHelper, ApiEngagementFilter, ProductFilterHelper, FindingFilterHelper, and EngagementTestFilterHelper, which provide users with the ability to search and filter security-related data.
    • The filters are implemented using the django-filters library and include a variety of filter types, such as CharFilter, NumberFilter, DateRangeFilter, and MultipleChoiceFilter.
    • The filters include support for filtering based on tags, which is an important feature for managing and organizing application security-related data.
    • The filters are designed to be flexible and extensible, allowing for customization of the filter fields and options based on the specific requirements of the application.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 2 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fopina