Fix to bump ruff to 0.9.3

[manuel-sommer]

#11630

[dryrunsecurity]

DryRun Security Summary

The pull request involves minor code changes to the DefectDojo application, focusing on parsing MobSF scan results, importing survey data, and handling uploaded threat and Selenium script files, with potential security considerations that should be reviewed.

Expand for full summary

Summary:

The code changes in this pull request cover various aspects of the DefectDojo application, including the parsing of MobSF (Mobile Security Framework) scan results, the import process for survey data, and the handling of uploaded threat and Selenium script files. While the specific changes do not introduce any obvious security vulnerabilities, there are a few areas that should be reviewed from an application security perspective.

In the MobSFParser class, the changes are minor and do not directly impact the security of the application. However, the MobSFParser class itself is an important component that processes the results of MobSF scans, which can identify a wide range of security issues in mobile applications. It's crucial to ensure that this class is properly implemented and maintained to provide accurate and reliable security information.

The changes in the import_surveys.py file involve manipulating a JSON file on the filesystem, which could potentially introduce security risks if the file path or contents are not properly sanitized and validated. Additionally, the use of a raw SQL query to retrieve the polymorphic_ctype_id value should be reviewed to ensure that it is not vulnerable to SQL injection attacks.

The changes in the utils.py file related to handling uploaded threat and Selenium script files appear to follow best practices, such as checking for the existence of necessary folders and constructing file paths using IDs to prevent directory traversal attacks. However, it's important to ensure that the file handling is implemented securely and that any potential issues related to temporary file handling are properly addressed.

Files Changed:

1. dojo/tools/mobsf/parser.py:

   • The changes remove an empty else block from the get_findings() method of the MobSFParser class.
   • The MobSFParser class is responsible for parsing the results of MobSF scans and converting them into a format that can be used by security testing or vulnerability management tools.

2. dojo/management/commands/import_surveys.py:

   • The changes involve updating the polymorphic_ctype_id value in the initial_surveys.json file.
   • The code uses a raw SQL query to retrieve the polymorphic_ctype_id value, which should be reviewed for potential SQL injection vulnerabilities.
   • The file manipulation operations should be reviewed to ensure that the file path and contents are properly sanitized and validated.

3. dojo/utils.py:

   • The changes introduce two functions, handle_uploaded_threat() and handle_uploaded_selenium(), to handle the upload of threat and Selenium script files, respectively.
   • The code follows best practices, such as checking for the existence of necessary folders and constructing file paths using IDs to prevent directory traversal attacks.
   • However, it's important to ensure that the file handling is implemented securely and that any potential issues related to temporary file handling are properly addressed.

Code Analysis

We ran 9 analyzers against 3 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	1 finding

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[manuel-sommer]

Ready to review @mtesauro