1010 ScansViewSet , StubFindingsViewSet , TestsViewSet , \
1111 ToolConfigurationsViewSet , ToolProductSettingsViewSet , ToolTypesViewSet , \
1212 UsersViewSet , ImportScanView , NoteTypeViewSet , AppAnalysisViewSet , \
13- EndpointStatusViewSet , SonarqubeIssueViewSet , SonarqubeIssueTransitionViewSet , \
14- SonarqubeProductViewSet , NotesViewSet
13+ EndpointStatusViewSet , SonarqubeIssueViewSet , NotesViewSet
1514from json import dumps
1615from django .urls import reverse
1716from rest_framework .authtoken .models import Token
@@ -74,6 +73,11 @@ def test_detail(self):
7473 relative_url = self .url + '%s/' % current_objects ['results' ][0 ]['id' ]
7574 response = self .client .get (relative_url )
7675 self .assertEqual (200 , response .status_code )
76+ # sensitive data must be set to write_only so those are not returned in the response
77+ # https://github.com/DefectDojo/django-DefectDojo/security/advisories/GHSA-8q8j-7wc4-vjg5
78+ self .assertFalse ('password' in response .data )
79+ self .assertFalse ('ssh' in response .data )
80+ self .assertFalse ('api_key' in response .data )
7781
7882 @skipIfNotSubclass ('DestroyModelMixin' )
7983 def test_delete (self ):
@@ -90,9 +94,12 @@ def test_update(self):
9094 relative_url , self .update_fields )
9195 for key , value in self .update_fields .items ():
9296 # some exception as push_to_jira has been implemented strangely in the update methods in the api
93- if key != 'push_to_jira' :
97+ if key not in [ 'push_to_jira' , 'ssh' , 'password' , 'api_key' ] :
9498 self .assertEqual (value , response .data [key ])
9599 self .assertFalse ('push_to_jira' in response .data )
100+ self .assertFalse ('ssh' in response .data )
101+ self .assertFalse ('password' in response .data )
102+ self .assertFalse ('api_key' in response .data )
96103 response = self .client .put (
97104 relative_url , self .payload )
98105 self .assertEqual (200 , response .status_code )
0 commit comments