Mitigated On/Before/After now use DateTimeFilter #11472
Conversation
DryRun Security SummaryThe code change enhances the Defect Dojo application's security filtering capabilities by introducing more granular filtering options for mitigation dates and EPSS metrics in the Expand for full summarySummary: This code change appears to be a security-focused update to the These changes suggest that the application is expanding its ability to filter and sort findings, which could lead to improved security posture by allowing users to more easily identify and focus on findings that may pose a higher risk or have been mitigated in a timely manner. However, it's important to ensure that these new filtering capabilities are properly secured and do not introduce any vulnerabilities, such as potential SQL injection or other injection-based attacks. The application should also validate and sanitize all user input to these filters to prevent malicious input from being used to bypass security controls or access sensitive data. Files Changed:
Code AnalysisWe ran |
dojo/filters.py
Outdated
| mitigated_on = DateTimeFilter(field_name="mitigated", lookup_expr="exact") | ||
| mitigated_before = DateTimeFilter(field_name="mitigated", lookup_expr="lt") | ||
| mitigated_after = DateTimeFilter(field_name="mitigated", lookup_expr="gt") |
There was a problem hiding this comment.
If a user were to be reliant on passing a date to this filter, would the API accept the absence of the timestamp? For example, if the query was mitigated_on=2025-01-02 would a validation error be thrown?
There was a problem hiding this comment.
A validation error does not get thrown if you use 2025-01-02 without the timestamp. Should it?
There was a problem hiding this comment.
No, a validation error should not be raised. I was asking to make sure that this change would not cause any issues for users that were currently using dates
There was a problem hiding this comment.
This doesn't seem to be operating how I would expect... I spun up a test instance, created some findings, and marked them mitigated. The UI uses a date-picker widget that won't allow you to enter a timestamp, so I couldn't test that.
With the API, I have 3 mitigated findings with these mitigated values:
❯ curl -H "Authorization: Token ${DD_API_KEY}" "http://localhost:8080/api/v2/findings/" | jq '.results[] | select(.mitigated != null) | .mitigated'
"2025-01-13T18:08:05.911321Z"
"2025-01-13T18:08:05.922679Z"
"2025-01-13T18:08:05.930498Z"
Testing mitigated_on with a simple date:
❯ curl -H "Authorization: Token ${DD_API_KEY}" "http://localhost:8080/api/v2/findings/?mitigated_on=2025-01-13"
{"count":0,"next":null,"previous":null,"results":[],"prefetch":{}}%
It wants an exact timestamp:
❯ curl -H "Authorization: Token ${DD_API_KEY}" "http://localhost:8080/api/v2/findings/?mitigated_on=2025-01-13T18:08:05.911321Z"
{"count":1,"next":null,"previous":null,"results":[{"id":1, ... }]}
The mitigated_after and mitigated_before filters sort of work as expected with simple dates, but I assume it is just plugging in a 00:00:00 for the time, so for example this returns my 3 findings that were mitigated today, 2025-01-13, where mitigated_after would only have included things after today (23:59:59) in the past.
❯ curl -H "Authorization: Token ${DD_API_KEY}" "http://localhost:8080/api/v2/findings/?mitigated_after=2025-01-13"
{"count":3,"next":null,"previous":null,"results":[{"id":1, ... }]}
I think this needs some additional tweaking, and could really use some unit tests.
With simple dates being given, it does indeed use 00:00:00 as the time. The request was to make it use DateTimeFilter which means it expects a full datetime. Per the Story:
So when you said 'after' and gave 2025-01-13, the assumption is that you meant 2025-01-13T00:00:00. That said, I think we can alter the after to add a 23:59:59 timestamp if it is not added instead of the 00:00:00. |
| if value.hour == 0 and value.minute == 0 and value.second == 0: | ||
| value = value.replace(hour=23, minute=59, second=59) |
There was a problem hiding this comment.
This seems like the right way to handle "after" when the user provides a simple date without a timestamp. Given that the UI currently uses a simple date picker without the ability to specify time (which seems fine), this would do what I would intuitively expect. We don't have to worry about the possibility of the user asking for "after 2025-01-01 00:00:00" here unless they're fiddling around in the Developer Console or something.
I suppose we could include microseconds here or use gte <date+1> 00:00:00 to deal with edge cases around the last second of the day...
dojo/filters.py
Outdated
| mitigated_on = DateFilter(field_name="mitigated", lookup_expr="exact", label="Mitigated On") | ||
| mitigated_before = DateFilter(field_name="mitigated", lookup_expr="lt", label="Mitigated Before") | ||
| mitigated_after = DateFilter(field_name="mitigated", lookup_expr="gt", label="Mitigated After") | ||
| mitigated_on = DateTimeFilter(field_name="mitigated", lookup_expr="exact", label="Mitigated On") |
There was a problem hiding this comment.
Given the simple date-picker presented in the UI, I think searching for anything with a timestamp between [ <date> 00:00:00, <date+1> 00:00:00 ) would be the right approach here. Otherwise, I think this filter will only ever return Findings mitigated at exactly 00:00:00, which would be pretty uncommon.
| if value.hour == 0 and value.minute == 0 and value.second == 0: | ||
| value = value.replace(hour=23, minute=59, second=59) |
There was a problem hiding this comment.
This logic is a little trickier when it comes to the API, because the user could intentionally query for "after 2025-01-01 00:00:00"... But I think this approach strikes the right balance - it seems much more likely that we'll receive dates without timestamps than dates with explicit 00:00:00 timestamps, and this would mirror the UI's behavior as well. In any case, the user can always search for "after 2024-12-31" to achieve the same thing if that's truly what they want.
dojo/filters.py
Outdated
| mitigated_on = DateFilter(field_name="mitigated", lookup_expr="exact") | ||
| mitigated_before = DateFilter(field_name="mitigated", lookup_expr="lt") | ||
| mitigated_after = DateFilter(field_name="mitigated", lookup_expr="gt") | ||
| mitigated_on = DateTimeFilter(field_name="mitigated", lookup_expr="exact") |
There was a problem hiding this comment.
It seems very unlikely to me that a user will ever actually want to list Findings mitigated on an exact timestamp down to the microsecond, even if this would theoretically give them that option. I think searching the range [ <date> 00:00:00, <date+1> 00:00:00 ) is the right approach here too, regardless of whether the user specified a timestamp.
Fixes filtering for mitigation for the on/before/after fields
[sc-7759]