Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API: Convert get_filterset calls to get_queryset #10543

Merged
merged 1 commit into from
Jul 9, 2024
Merged

API: Convert get_filterset calls to get_queryset #10543

merged 1 commit into from
Jul 9, 2024

Conversation

Maffooch
Copy link
Contributor

@Maffooch Maffooch commented Jul 9, 2024
edited
Loading

Correcting copy/paste errors from #10503

The get_fitlerset method uses the request object to perform database filtering based upon the kwargs supplied in the request body. The intended behavior is to use the get_queryset method to override the functionality that fetches all objects from the database, with filtering being performed afterwards.

@github-actions github-actions bot added the apiv2 label Jul 9, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 9, 2024
edited
Loading

DryRun Security Summary

The pull request refactors the filter_queryset method to get_queryset in various ViewSets in the dojo/api_v2/views.py file, a common pattern in Django REST Framework that is likely to improve the application's performance and maintainability, while the access control and authorization mechanisms remain in place to ensure users can only access the data they are authorized to view.

Expand for full summary

Summary:

The code changes in this pull request appear to be a refactoring of the filter_queryset method to get_queryset in various ViewSets in the dojo/api_v2/views.py file. This change is a common pattern in Django REST Framework (DRF) and is likely to improve the overall performance and maintainability of the application.

From an application security perspective, the changes do not appear to introduce any significant security risks. The access control and authorization mechanisms (e.g., permission_classes) remain in place, ensuring that users can only access the data they are authorized to view. However, it's important to continue monitoring the application's security posture and address any potential vulnerabilities, such as ensuring proper input sanitization and validation, verifying the access control and authorization mechanisms, and monitoring for any unusual activity or security incidents.

Files Changed:

  • dojo/api_v2/views.py: This file has been updated to replace the filter_queryset method with get_queryset in various ViewSets. This change is a common pattern in DRF and is likely to improve the overall performance and maintainability of the application. The access control and authorization mechanisms remain in place, ensuring that users can only access the data they are authorized to view.

Code Analysis

We ran 7 analyzers against 1 file and 1 analyzer had findings. 6 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 19 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jul 9, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@Maffooch Maffooch merged commit 7b48bd2 into bugfix Jul 9, 2024
125 checks passed
@Maffooch Maffooch deleted the get_queryset branch July 9, 2024 21:10
mwager added a commit to mwager/django-DefectDojo that referenced this pull request Jul 16, 2024
@mwager
Merge branch 'kiuwan-sca' of github.com:mwager/django-DefectDojo into…
b225ff2 
… kiuwan-sca

# By dependabot[bot] (13) and others
# Via GitHub
* 'kiuwan-sca' of github.com:mwager/django-DefectDojo: (39 commits)
  Deprecate Python-jose and migrate okta to python_social_auth (DefectDojo#10117)
  fix: dockerfile warnings (DefectDojo#10505)
  Ruff: Add and fix Q000 (DefectDojo#10095)
  Fix(django): Upgrade of 4.2 (DefectDojo#10553)
  fix(deps): build python psycopg3 dependency instead of use the pre-build binary (DefectDojo#10491)
  Bump coverage from 7.5.4 to 7.6.0 (DefectDojo#10560)
  Bump asteval from 1.0.0 to 1.0.1 (DefectDojo#10561)
  Bump djangorestframework from 3.14.0 to 3.15.2 (DefectDojo#10431)
  Bump boto3 from 1.34.142 to 1.34.143 (DefectDojo#10558)
  Bump django-debug-toolbar from 4.4.5 to 4.4.6 (DefectDojo#10557)
  Bump boto3 from 1.34.141 to 1.34.142 (DefectDojo#10551)
  Bump packageurl-python from 0.15.2 to 0.15.3 (DefectDojo#10541)
  Bump boto3 from 1.34.140 to 1.34.141 (DefectDojo#10542)
  Update helm lock file
  Update versions in application files
  Update versions in application files
  API: Convert get_filterset calls to get_queryset (DefectDojo#10543)
  Bump django-debug-toolbar from 4.4.4 to 4.4.5 (DefectDojo#10527)
  Fix ruff
  Ruff fix
  ...

# Conflicts:
#	dojo/settings/.settings.dist.py.sha256sum
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hblankenship hblankenship hblankenship approved these changes

@devGregA devGregA devGregA approved these changes

@cneill cneill cneill approved these changes

@grendel513 grendel513 grendel513 approved these changes

Assignees
No one assigned
Labels
apiv2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Maffooch @grendel513 @cneill @devGregA @hblankenship