Decorator and permissions updates

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: devGregA

dojo/api_v2/views.py

@@ -700,7 +700,8 @@ def download_file(self, request, file_id, pk=None):
         responses={status.HTTP_200_OK: serializers.EngagementUpdateJiraEpicSerializer},
     )
     @action(
-        detail=True, methods=["post"], permission_classes=[IsAuthenticated],
+        detail=True, methods=["post"],
+        permission_classes=(IsAuthenticated, permissions.UserHasEngagementRelatedObjectPermission),
     )
     def update_jira_epic(self, request, pk=None):
         engagement = self.get_object()

dojo/engagement/views.py

@@ -1378,6 +1378,9 @@ def edit_risk_acceptance(request, eid, raid):
 def view_edit_risk_acceptance(request, eid, raid, *, edit_mode=False):
     risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid)
     eng = get_object_or_404(Engagement, pk=eid)
+    # Ensure the risk acceptance belongs to the supplied engagement
+    if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists():
+        raise PermissionDenied
 
     if edit_mode and not eng.product.enable_full_risk_acceptance:
         raise PermissionDenied
@@ -1539,6 +1542,9 @@ def expire_risk_acceptance(request, eid, raid):
     risk_acceptance = get_object_or_404(prefetch_for_expiration(Risk_Acceptance.objects.all()), pk=raid)
     # Validate the engagement ID exists before moving forward
     get_object_or_404(Engagement, pk=eid)
+    # Ensure the risk acceptance belongs to the supplied engagement
+    if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists():
+        raise PermissionDenied
 
     ra_helper.expire_now(risk_acceptance)
 
@@ -1549,6 +1555,9 @@ def expire_risk_acceptance(request, eid, raid):
 def reinstate_risk_acceptance(request, eid, raid):
     risk_acceptance = get_object_or_404(prefetch_for_expiration(Risk_Acceptance.objects.all()), pk=raid)
     eng = get_object_or_404(Engagement, pk=eid)
+    # Ensure the risk acceptance belongs to the supplied engagement
+    if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists():
+        raise PermissionDenied
 
     if not eng.product.enable_full_risk_acceptance:
         raise PermissionDenied
@@ -1562,6 +1571,9 @@ def reinstate_risk_acceptance(request, eid, raid):
 def delete_risk_acceptance(request, eid, raid):
     risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid)
     eng = get_object_or_404(Engagement, pk=eid)
+    # Ensure the risk acceptance belongs to the supplied engagement
+    if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists():
+        raise PermissionDenied
 
     ra_helper.delete(eng, risk_acceptance)
 

dojo/finding/views.py

@@ -32,7 +32,7 @@
 import dojo.finding.helper as finding_helper
 import dojo.jira_link.helper as jira_helper
 import dojo.risk_acceptance.helper as ra_helper
-from dojo.authorization.authorization import user_has_permission_or_403
+from dojo.authorization.authorization import user_has_global_permission_or_403, user_has_permission_or_403
 from dojo.authorization.authorization_decorators import (
     user_has_global_permission,
     user_is_authorized,
@@ -1732,6 +1732,9 @@ def mktemplate(request, fid):
 
 @user_is_authorized(Finding, Permissions.Finding_Edit, "fid")
 def find_template_to_apply(request, fid):
+    # Templates may contain sensitive data from any product; require global permission
+    # to match the authorization level of the /template list view
+    user_has_global_permission_or_403(request.user, Permissions.Finding_Edit)
     finding = get_object_or_404(Finding, id=fid)
     test = get_object_or_404(Test, id=finding.test.id)
     templates_by_cve = (

dojo/product/views.py

@@ -1597,7 +1597,7 @@ def engagement_presets(request, pid):
 @user_is_authorized(Product, Permissions.Product_Edit, "pid")
 def edit_engagement_presets(request, pid, eid):
     prod = get_object_or_404(Product, id=pid)
-    preset = get_object_or_404(Engagement_Presets, id=eid)
+    preset = get_object_or_404(Engagement_Presets, id=eid, product_id=pid)
 
     product_tab = Product_Tab(prod, title=_("Edit Engagement Preset"), tab="settings")
 
@@ -1646,7 +1646,7 @@ def add_engagement_presets(request, pid):
 @user_is_authorized(Product, Permissions.Product_Edit, "pid")
 def delete_engagement_presets(request, pid, eid):
     prod = get_object_or_404(Product, id=pid)
-    preset = get_object_or_404(Engagement_Presets, id=eid)
+    preset = get_object_or_404(Engagement_Presets, id=eid, product_id=pid)
     form = DeleteEngagementPresetsForm(instance=preset)
 
     if request.method == "POST":

dojo/survey/views.py

@@ -57,7 +57,7 @@
 @user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
 def delete_engagement_survey(request, eid, sid):
     engagement = get_object_or_404(Engagement, id=eid)
-    survey = get_object_or_404(Answered_Survey, id=sid)
+    survey = get_object_or_404(Answered_Survey, id=sid, engagement_id=eid)
     questions = get_answered_questions(survey=survey, read_only=True)
     form = Delete_Questionnaire_Form(instance=survey)
 
@@ -96,7 +96,7 @@ def delete_engagement_survey(request, eid, sid):
 
 
 def answer_questionnaire(request, eid, sid):
-    survey = get_object_or_404(Answered_Survey, id=sid)
+    survey = get_object_or_404(Answered_Survey, id=sid, engagement_id=eid)
     engagement = get_object_or_404(Engagement, id=eid)
     system_settings = System_Settings.objects.all()[0]
 
@@ -162,7 +162,7 @@ def answer_questionnaire(request, eid, sid):
 
 @user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
 def assign_questionnaire(request, eid, sid):
-    survey = get_object_or_404(Answered_Survey, id=sid)
+    survey = get_object_or_404(Answered_Survey, id=sid, engagement_id=eid)
     engagement = get_object_or_404(Engagement, id=eid)
 
     form = AssignUserForm(instance=survey)
@@ -183,7 +183,7 @@ def assign_questionnaire(request, eid, sid):
 
 @user_is_authorized(Engagement, Permissions.Engagement_View, "eid")
 def view_questionnaire(request, eid, sid):
-    survey = get_object_or_404(Answered_Survey, id=sid)
+    survey = get_object_or_404(Answered_Survey, id=sid, engagement_id=eid)
     engagement = get_object_or_404(Engagement, id=eid)
     questions = get_answered_questions(survey=survey, read_only=True)
 

dojo/tools/ms_defender/parser.py

@@ -42,6 +42,11 @@ def get_findings(self, file, test):
             else:
                 input_zip = zipfile.ZipFile(file, "r")
 
+            max_size = 256 * 1024 * 1024  # 256 MB
+            total_size = sum(info.file_size for info in input_zip.infolist())
+            if total_size > max_size:
+                msg = f"Zip file uncompressed content exceeds maximum allowed size ({total_size} > {max_size})"
+                raise ValueError(msg)
             zipdata = {name: input_zip.read(name) for name in input_zip.namelist()}
             vulnerabilityfiles = []
             machinefiles = []

dojo/tools/sonarqube/parser.py

@@ -42,6 +42,11 @@ def get_findings(self, file, test):
                 input_zip = zipfile.ZipFile(file.name, "r")
             else:
                 input_zip = zipfile.ZipFile(file, "r")
+            max_size = 256 * 1024 * 1024  # 256 MB
+            total_size = sum(info.file_size for info in input_zip.infolist())
+            if total_size > max_size:
+                msg = f"Zip file uncompressed content exceeds maximum allowed size ({total_size} > {max_size})"
+                raise ValueError(msg)
             zipdata = {name: input_zip.read(name) for name in input_zip.namelist()}
             return SonarQubeRESTAPIZIP().get_items(zipdata, test, self.mode)
         parser = etree.HTMLParser()