Skip to content

API: Allow filtering users on last_login/date_joined#12640

Merged
mtesauro merged 1 commit intoDefectDojo:bugfixfrom
valentijnscholten:user-api-filter-dates
Jun 20, 2025
Merged

API: Allow filtering users on last_login/date_joined#12640
mtesauro merged 1 commit intoDefectDojo:bugfixfrom
valentijnscholten:user-api-filter-dates

Conversation

@valentijnscholten
Copy link
Copy Markdown
Member

@valentijnscholten valentijnscholten commented Jun 19, 2025

Allow filtering on last_login and date_joined to help users manage user via the API. Inspired by #12611

@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Jun 19, 2025

DryRun Security

This pull request contains a potential security concern in the ApiUserFilter where sensitive user metadata could be exposed, though the current implementation has some access controls in place through the UsersViewSet permissions.

Sensitive User Information Exposure in dojo/filters.py
Vulnerability Sensitive User Information Exposure
Description The ApiUserFilter exposes multiple sensitive user fields like is_active, is_superuser, last_login, and date_joined. While the UsersViewSet is restricted to superusers via permission_classes, the filter itself allows detailed querying of user attributes. This could potentially leak sensitive user metadata if access controls are not strictly maintained.

django-DefectDojo/dojo/filters.py

Lines 85 to 91 in 458332f

Test_Import_Finding_Action,
Test_Type,
TextQuestion,
User,
Vulnerability_Id,
)
from dojo.product.queries import get_authorized_products

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.47.4 milestone Jun 19, 2025
@valentijnscholten valentijnscholten mentioned this pull request Jun 19, 2025
Closed
@Maffooch Maffooch requested review from dogboat and hblankenship June 20, 2025 14:54
mtesauro
mtesauro approved these changes Jun 20, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 1ba222c into DefectDojo:bugfix Jun 20, 2025
77 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

+1 more reviewer

@hblankenship hblankenship hblankenship approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

apiv2 unittests

Projects

None yet

Milestone

2.47.4

Development

Successfully merging this pull request may close these issues.

5 participants

@valentijnscholten @mtesauro @dogboat @hblankenship @Maffooch