security: do not reveal products, product types and findings in metrics and reports to unauthorized users (#3410)

* several issues in metrics and reports

* one user too many

* EndpointFilter with user from request

* integration tests + fix metrics js errors

* metrics: cache per user

* integration tests + fix metrics js errors

Co-authored-by: Valentijn Scholten <[email protected]>

Author: StefanFl

docker-compose.override.integration_tests.yml

@@ -9,7 +9,9 @@ services:
     depends_on:
       - nginx
       - uwsgi
-    entrypoint: ['/wait-for-it.sh', 'mysql:3306', '-t', '30', '--', '/entrypoint-integration-tests.sh']
+    entrypoint: ['/wait-for-it.sh', 'mysql:3306', '-t', '30', '--', '/app/docker/entrypoint-integration-tests.sh']
+    volumes:
+      - '.:/app:z'
     environment:
       DD_BASE_URL: 'http://nginx:8080/'
       DD_ADMIN_USER: ${DD_ADMIN_USER:-admin}

dojo/filters.py

@@ -17,9 +17,10 @@
 from dojo.models import Dojo_User, Product_Type, Finding, Product, Test_Type, \
     Endpoint, Development_Environment, Finding_Template, Report, Note_Type, \
     Engagement_Survey, Question, TextQuestion, ChoiceQuestion, Endpoint_Status, Engagement, \
-    ENGAGEMENT_STATUS_CHOICES
+    ENGAGEMENT_STATUS_CHOICES, Test
 from dojo.utils import get_system_setting
 from django.contrib.contenttypes.models import ContentType
+from crum import get_current_user
 
 logger = logging.getLogger(__name__)
 
@@ -1072,6 +1073,18 @@ def __init__(self, *args, **kwargs):
         self.form.fields['severity'].choices = self.queryset.order_by(
             'numerical_severity'
         ).values_list('severity', 'severity').distinct()
+        if get_current_user() is not None and not get_current_user().is_staff:
+            self.form.fields[
+                'test__engagement__product__prod_type'].queryset = Product_Type.objects.filter(
+                authorized_users__in=[get_current_user()])
+            self.form.fields[
+                'test'].queryset = Test.objects.filter(
+                Q(engagement__product__authorized_users__in=[get_current_user()]) |
+                Q(engagement__product__prod_type__authorized_users__in=[get_current_user()]))
+            self.form.fields[
+                'duplicate_finding'].queryset = Finding.objects.filter(
+                Q(test__engagement__product__authorized_users__in=[get_current_user()]) |
+                Q(test__engagement__product__prod_type__authorized_users__in=[get_current_user()]))
 
     class Meta:
         model = Finding
@@ -1117,6 +1130,18 @@ def __init__(self, *args, **kwargs):
         self.form.fields['finding__severity'].choices = self.queryset.order_by(
             'finding__numerical_severity'
         ).values_list('finding__severity', 'finding__severity').distinct()
+        if get_current_user() is not None and not get_current_user().is_staff:
+            self.form.fields[
+                'finding__test__engagement__product__prod_type'].queryset = Product_Type.objects.filter(
+                authorized_users__in=[get_current_user()])
+            self.form.fields[
+                'endpoint'].queryset = Endpoint.objects.filter(
+                Q(product__authorized_users__in=[get_current_user()]) |
+                Q(product__prod_type__authorized_users__in=[get_current_user()]))
+            self.form.fields[
+                'finding'].queryset = Finding.objects.filter(
+                Q(test__engagement__product__authorized_users__in=[get_current_user()]) |
+                Q(test__engagement__product__prod_type__authorized_users__in=[get_current_user()]))
 
     class Meta:
         model = Endpoint_Status
@@ -1227,8 +1252,10 @@ def __init__(self, *args, **kwargs):
             self.user = kwargs.pop('user')
         super(EndpointFilter, self).__init__(*args, **kwargs)
         if self.user and not self.user.is_staff:
-            self.form.fields['product'].queryset = Product.objects.filter(
-                authorized_users__in=[self.user]).distinct().order_by('name')
+            self.form.fields[
+                'product'].queryset = Product.objects.filter(
+                Q(authorized_users__in=[self.user]) |
+                Q(prod_type__authorized_users__in=[self.user])).distinct().order_by('name')
 
     class Meta:
         model = Endpoint
@@ -1286,28 +1313,30 @@ class ReportAuthedFindingFilter(DojoFilter):
     out_of_scope = ReportBooleanFilter()
 
     def __init__(self, *args, **kwargs):
-        self.user = None
-        if 'user' in kwargs:
-            self.user = kwargs.pop('user')
         super(ReportAuthedFindingFilter, self).__init__(*args, **kwargs)
-        if not self.user.is_staff:
+        if get_current_user() and not get_current_user().is_staff:
             self.form.fields[
                 'test__engagement__product'].queryset = Product.objects.filter(
-                authorized_users__in=[self.user])
+                Q(authorized_users__in=[get_current_user()]) |
+                Q(prod_type__authorized_users__in=[get_current_user()]))
             self.form.fields[
                 'test__engagement__product__prod_type'].queryset = Product_Type.objects.filter(
-                authorized_users__in=[self.user])
+                authorized_users__in=[get_current_user()])
+            self.form.fields[
+                'duplicate_finding'].queryset = Finding.objects.filter(
+                Q(test__engagement__product__authorized_users__in=[get_current_user()]) |
+                Q(test__engagement__product__prod_type__authorized_users__in=[get_current_user()]))
 
     @property
     def qs(self):
         parent = super(ReportAuthedFindingFilter, self).qs
-        if self.user.is_staff:
-            return parent
-        else:
+        if get_current_user() and not get_current_user().is_staff:
             return parent.filter(
-                Q(test__engagement__product__authorized_users__in=[self.user]) |
-                Q(test__engagement__product__prod_type__authorized_users__in=[self.user])
+                Q(test__engagement__product__authorized_users__in=[get_current_user()]) |
+                Q(test__engagement__product__prod_type__authorized_users__in=[get_current_user()])
             )
+        else:
+            return parent
 
     class Meta:
         model = Finding

dojo/fixtures/product_type.json

@@ -1,7 +1,8 @@
 [
   {
     "fields": {
-      "name": "Research and Development"
+      "name": "Research and Development",
+      "critical_product": true
     },
     "model": "dojo.product_type",
     "pk": 1

dojo/forms.py

@@ -32,6 +32,7 @@
 from dojo.user.helper import user_is_authorized
 from django.urls import reverse
 import logging
+from crum import get_current_user
 
 logger = logging.getLogger(__name__)
 
@@ -1631,6 +1632,12 @@ class ProductTypeCountsForm(forms.Form):
                                           error_messages={
                                               'required': '*'})
 
+    def __init__(self, *args, **kwargs):
+        super(ProductTypeCountsForm, self).__init__(*args, **kwargs)
+        if get_current_user() is not None and not get_current_user().is_staff:
+            self.fields['product_type'].queryset = Product_Type.objects.filter(
+                authorized_users__in=[get_current_user()])
+
 
 class APIKeyForm(forms.ModelForm):
     id = forms.IntegerField(required=True,

dojo/metrics/views.py

@@ -27,6 +27,8 @@
 from dojo.utils import get_page_items, add_breadcrumb, findings_this_period, opened_in_period, count_findings, \
     get_period_counts, get_system_setting, get_punchcard_data, queryset_check
 from functools import reduce
+from dojo.user.helper import objects_authorized
+from django.views.decorators.vary import vary_on_cookie
 
 logger = logging.getLogger(__name__)
 
@@ -41,6 +43,7 @@ def critical_product_metrics(request, mtype):
     template = 'dojo/metrics.html'
     page_name = 'Critical Product Metrics'
     critical_products = Product_Type.objects.filter(critical_product=True)
+    critical_products = objects_authorized(critical_products)
     add_breadcrumb(title=page_name, top_level=not len(request.GET), request=request)
     return render(request, template, {
         'name': page_name,
@@ -125,6 +128,11 @@ def finding_querys(prod_type, request):
                         'WHERE dojo_risk_acceptance_accepted_findings.finding_id = dojo_finding.id',
         },
     )
+    if not request.user.is_staff:
+        findings_query = findings_query.filter(
+            Q(test__engagement__product__authorized_users__in=[request.user]) |
+            Q(test__engagement__product__prod_type__authorized_users__in=[request.user]))
+
     active_findings_query = Finding.objects.filter(verified=True, active=True,
                                       severity__in=('Critical', 'High', 'Medium', 'Low', 'Info')).prefetch_related(
         'test__engagement__product',
@@ -139,6 +147,10 @@ def finding_querys(prod_type, request):
                         'WHERE dojo_risk_acceptance_accepted_findings.finding_id = dojo_finding.id',
         },
     )
+    if not request.user.is_staff:
+        active_findings_query = active_findings_query.filter(
+            Q(test__engagement__product__authorized_users__in=[request.user]) |
+            Q(test__engagement__product__prod_type__authorized_users__in=[request.user]))
 
     findings = MetricsFindingFilter(request.GET, queryset=findings_query)
     active_findings = MetricsFindingFilter(request.GET, queryset=active_findings_query)
@@ -180,6 +192,10 @@ def finding_querys(prod_type, request):
         accepted_findings_counts = Finding.objects.filter(risk_acceptance__created__date__range=[start_date, end_date],
                                                           test__engagement__product__prod_type__in=prod_type). \
             prefetch_related('test__engagement__product')
+        if not request.user.is_staff:
+            accepted_findings_counts = accepted_findings_counts.filter(
+                Q(test__engagement__product__authorized_users__in=[request.user]) |
+                Q(test__engagement__product__prod_type__authorized_users__in=[request.user]))
         accepted_findings_counts = severity_count(accepted_findings_counts, 'aggregate', 'severity')
     else:
         findings_closed = Finding.objects.filter(mitigated__date__range=[start_date, end_date]).prefetch_related(
@@ -188,8 +204,20 @@ def finding_querys(prod_type, request):
             prefetch_related('test__engagement__product')
         accepted_findings_counts = Finding.objects.filter(risk_acceptance__created__date__range=[start_date, end_date]). \
             prefetch_related('test__engagement__product')
+        if not request.user.is_staff:
+            accepted_findings_counts = accepted_findings_counts.filter(
+                Q(test__engagement__product__authorized_users__in=[request.user]) |
+                Q(test__engagement__product__prod_type__authorized_users__in=[request.user]))
         accepted_findings_counts = severity_count(accepted_findings_counts, 'aggregate', 'severity')
 
+    if not request.user.is_staff:
+        findings_closed = findings_closed.filter(
+            Q(test__engagement__product__authorized_users__in=[request.user]) |
+            Q(test__engagement__product__prod_type__authorized_users__in=[request.user]))
+        accepted_findings = accepted_findings.filter(
+            Q(test__engagement__product__authorized_users__in=[request.user]) |
+            Q(test__engagement__product__prod_type__authorized_users__in=[request.user]))
+
     r = relativedelta(end_date, start_date)
     months_between = (r.years * 12) + r.months
     # include current month
@@ -212,6 +240,10 @@ def finding_querys(prod_type, request):
                                      engagement__test__finding__severity__in=(
                                          'Critical', 'High', 'Medium', 'Low'),
                                      prod_type__in=prod_type)
+    if not request.user.is_staff:
+        top_ten = top_ten.filter(
+            Q(authorized_users__in=[request.user]) |
+            Q(prod_type__authorized_users__in=[request.user]))
     top_ten = severity_count(top_ten, 'annotate', 'engagement__test__finding__severity').order_by('-critical', '-high', '-medium', '-low')[:10]
 
     filters['all'] = findings
@@ -238,6 +270,10 @@ def endpoint_querys(prod_type, request):
         'finding__test__engagement__risk_acceptance',
         'finding__risk_acceptance_set',
         'finding__reporter')
+    if not request.user.is_staff:
+        endpoints_query = endpoints_query.filter(
+            Q(endpoint__product__authorized_users__in=[request.user]) |
+            Q(endpoint__product__prod_type__authorized_users__in=[request.user]))
 
     active_endpoints_query = Endpoint_Status.objects.filter(mitigated=False,
                                       finding__severity__in=('Critical', 'High', 'Medium', 'Low', 'Info')).prefetch_related(
@@ -246,6 +282,10 @@ def endpoint_querys(prod_type, request):
         'finding__test__engagement__risk_acceptance',
         'finding__risk_acceptance_set',
         'finding__reporter')
+    if not request.user.is_staff:
+        active_endpoints_query = active_endpoints_query.filter(
+            Q(endpoint__product__authorized_users__in=[request.user]) |
+            Q(endpoint__product__prod_type__authorized_users__in=[request.user]))
 
     endpoints = MetricsEndpointFilter(request.GET, queryset=endpoints_query)
     active_endpoints = MetricsEndpointFilter(request.GET, queryset=active_endpoints_query)
@@ -287,6 +327,10 @@ def endpoint_querys(prod_type, request):
         accepted_endpoints_counts = Endpoint_Status.objects.filter(date__range=[start_date, end_date], risk_accepted=True,
                                                           finding__test__engagement__product__prod_type__in=prod_type). \
             prefetch_related('finding__test__engagement__product')
+        if not request.user.is_staff:
+            accepted_endpoints_counts = accepted_endpoints_counts.filter(
+                Q(endpoint__product__authorized_users__in=[request.user]) |
+                Q(endpoint__product__prod_type__authorized_users__in=[request.user]))
         accepted_endpoints_counts = severity_count(accepted_endpoints_counts, 'aggregate', 'finding__severity')
     else:
         endpoints_closed = Endpoint_Status.objects.filter(mitigated__date__range=[start_date, end_date]).prefetch_related(
@@ -295,8 +339,20 @@ def endpoint_querys(prod_type, request):
             prefetch_related('finding__test__engagement__product')
         accepted_endpoints_counts = Endpoint_Status.objects.filter(date__range=[start_date, end_date], risk_accepted=True). \
             prefetch_related('finding__test__engagement__product')
+        if not request.user.is_staff:
+            accepted_endpoints_counts = accepted_endpoints_counts.filter(
+                Q(endpoint__product__authorized_users__in=[request.user]) |
+                Q(endpoint__product__prod_type__authorized_users__in=[request.user]))
         accepted_endpoints_counts = severity_count(accepted_endpoints_counts, 'aggregate', 'finding__severity')
 
+    if not request.user.is_staff:
+        endpoints_closed = endpoints_closed.filter(
+            Q(endpoint__product__authorized_users__in=[request.user]) |
+            Q(endpoint__product__prod_type__authorized_users__in=[request.user]))
+        accepted_endpoints = accepted_endpoints.filter(
+            Q(endpoint__product__authorized_users__in=[request.user]) |
+            Q(endpoint__product__prod_type__authorized_users__in=[request.user]))
+
     r = relativedelta(end_date, start_date)
     months_between = (r.years * 12) + r.months
     # include current month
@@ -317,6 +373,10 @@ def endpoint_querys(prod_type, request):
                                      engagement__test__finding__severity__in=(
                                          'Critical', 'High', 'Medium', 'Low'),
                                      prod_type__in=prod_type)
+    if not request.user.is_staff:
+        top_ten = top_ten.filter(
+            Q(authorized_users__in=[request.user]) |
+            Q(prod_type__authorized_users__in=[request.user]))
     top_ten = severity_count(top_ten, 'annotate', 'engagement__test__finding__severity').order_by('-critical', '-high', '-medium', '-low')[:10]
 
     filters['all'] = endpoints
@@ -334,6 +394,7 @@ def endpoint_querys(prod_type, request):
 
 
 @cache_page(60 * 5)  # cache for 5 minutes
+@vary_on_cookie
 def metrics(request, mtype):
     template = 'dojo/metrics.html'
     show_pt_filter = True
@@ -362,6 +423,7 @@ def metrics(request, mtype):
         prod_type = Product_Type.objects.filter(id__in=request.GET.getlist('test__engagement__product__prod_type', []))
     else:
         prod_type = Product_Type.objects.all()
+    prod_type = objects_authorized(prod_type)
 
     filters = dict()
     if view == 'Finding':
@@ -470,6 +532,7 @@ def metrics(request, mtype):
 
 
 @cache_page(60 * 5)  # cache for 5 minutes
+@vary_on_cookie
 def simple_metrics(request):
     now = timezone.now()
 
@@ -485,7 +548,9 @@ def simple_metrics(request):
 
     # for each product type find each product with open findings and
     # count the S0, S1, S2 and S3
-    for pt in Product_Type.objects.order_by('name'):
+    product_types = Product_Type.objects.order_by('name')
+    product_types = objects_authorized(product_types)
+    for pt in product_types:
         total_critical = []
         total_high = []
         total_medium = []
@@ -503,8 +568,9 @@ def simple_metrics(request):
                                        date__month=now.month,
                                        date__year=now.year,
                                        ).distinct()
+        total = objects_authorized(total.all())
 
-        for f in total.all():
+        for f in total:
             if f.severity == "Critical":
                 total_critical.append(f)
             elif f.severity == 'High':
@@ -522,7 +588,7 @@ def simple_metrics(request):
             if f.date.year == now.year and f.date.month == now.month:
                 total_opened.append(f)
 
-        findings_broken_out['Total'] = total.count()
+        findings_broken_out['Total'] = len(total)
         findings_broken_out['S0'] = len(total_critical)
         findings_broken_out['S1'] = len(total_high)
         findings_broken_out['S2'] = len(total_medium)
@@ -546,6 +612,7 @@ def simple_metrics(request):
 
 
 # @cache_page(60 * 5)  # cache for 5 minutes
+# @vary_on_cookie
 def product_type_counts(request):
     form = ProductTypeCountsForm()
     opened_in_period_list = []
@@ -645,6 +712,10 @@ def product_type_counts(request):
                 'test__engagement__risk_acceptance',
                 'reporter').order_by(
                 'numerical_severity')
+            if not request.user.is_staff:
+                all_current_in_pt = all_current_in_pt.filter(
+                    Q(test__engagement__product__authorized_users__in=[request.user]) |
+                    Q(test__engagement__product__prod_type__authorized_users__in=[request.user]))
 
             top_ten = Product.objects.filter(engagement__test__finding__date__lte=end_date,
                                              engagement__test__finding__verified=True,
@@ -655,6 +726,10 @@ def product_type_counts(request):
                                              engagement__test__finding__severity__in=(
                                                  'Critical', 'High', 'Medium', 'Low'),
                                              prod_type=pt)
+            if not request.user.is_staff:
+                top_ten = top_ten.filter(
+                    Q(authorized_users__in=[request.user]) |
+                    Q(prod_type__authorized_users__in=[request.user]))
             top_ten = severity_count(top_ten, 'annotate', 'engagement__test__finding__severity').order_by('-critical', '-high', '-medium', '-low')[:10]
 
             cip = {'S0': 0,
@@ -733,6 +808,7 @@ def engineer_metrics(request):
 # noinspection DjangoOrm
 @user_passes_test(lambda u: u.is_staff)
 @cache_page(60 * 5)  # cache for 5 minutes
+@vary_on_cookie
 def view_engineer(request, eid):
     user = get_object_or_404(Dojo_User, pk=eid)
     if not (request.user.is_superuser or