Skip to content

Ruff: Add PLC1901 to dojo/models #13178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
valentijnscholten merged 2 commits into from
Sep 19, 2025
Merged

Ruff: Add PLC1901 to dojo/models #13178

valentijnscholten merged 2 commits into from
Sep 19, 2025

Conversation

@manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented Sep 15, 2025

No description provided.

@github-actions github-actions bot added the lint label Sep 15, 2025
@dryrunsecurity
Copy link

dryrunsecurity bot commented Sep 15, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request modifies dojo/models.py and triggered sensitive-file edit warnings (these paths and allowed authors can be configured in .dryrunsecurity.yaml). It also changes the clean() method to convert empty strings for protocol, userinfo, path, query, and fragment to None, which may cause TypeError in downstream code that expects strings.

🔴 Configured Codepaths Edit in dojo/models.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/models.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Potential Type Confusion (None vs. Empty String) in dojo/models.py
Vulnerability Potential Type Confusion (None vs. Empty String)
Description The clean method now explicitly converts empty string values for protocol, userinfo, path, query, and fragment to None. This change in type from an empty string to None can lead to TypeError exceptions in downstream code that expects a string and does not handle None values, potentially causing a denial of service.

django-DefectDojo/dojo/models.py

Lines 1826 to 1841 in 4783658

errors = []
null_char_list = ["0x00", "\x00"]
db_type = connection.vendor
if self.protocol is not None:
if not re.match(r"^[A-Za-z][A-Za-z0-9\.\-\+]+$", self.protocol): # https://tools.ietf.org/html/rfc3986#section-3.1
errors.append(ValidationError(f'Protocol "{self.protocol}" has invalid format'))
if not self.protocol:
self.protocol = None
if self.userinfo is not None:
if not re.match(r"^[A-Za-z0-9\.\-_~%\!\$&\'\(\)\*\+,;=:]+$", self.userinfo): # https://tools.ietf.org/html/rfc3986#section-3.2.1
errors.append(ValidationError(f'Userinfo "{self.userinfo}" has invalid format'))
if not self.userinfo:
self.userinfo = None
if self.host:

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@manuel-sommer manuel-sommer reopened this Sep 15, 2025
mtesauro
mtesauro approved these changes Sep 18, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten merged commit ab4315d into DefectDojo:dev Sep 19, 2025
157 of 158 checks passed
@valentijnscholten valentijnscholten added this to the 2.51.0 milestone Sep 20, 2025
@manuel-sommer manuel-sommer deleted the plc1901_dojo_models branch September 21, 2025 19:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@paulOsinski paulOsinski paulOsinski approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees

No one assigned

Labels

lint

Projects

None yet

Milestone

2.51.0

Development

Successfully merging this pull request may close these issues.

7 participants

@manuel-sommer @mtesauro @paulOsinski @Maffooch @Jino-T @blakeaowens @valentijnscholten