refactor: decouple Jira integration into dojo/jira package#14743
Open
Maffooch wants to merge 2 commits intoDefectDojo:devfrom
Open
refactor: decouple Jira integration into dojo/jira package#14743Maffooch wants to merge 2 commits intoDefectDojo:devfrom
Maffooch wants to merge 2 commits intoDefectDojo:devfrom
Conversation
Introduce a new dojo/jira package (models, forms, api, helper, queries, urls, views) and a top-level dojo/jira_facade.py. Route all Jira references from the rest of the codebase (models.py properties, forms, api_v2 serializers and views, view files, tasks, display_tags, risk_acceptance/helper, finding/helper, importers, utils SLA notifications, engagement/services, management commands) through the facade so no module outside the Jira package imports Jira internals directly. Also resolves a circular import in dojo/jira/models.py, updates test mock paths for the new module layout, and fixes ruff lint across the moved files.
|
This pull request may introduce mass-assignment risks: it unpacks user-controlled request.data into dojo_dispatch_task(**request.data) without shown sanitization (potentially allowing arbitrary kwargs to affect model updates), and it adds JIRA serializers using ModelSerializer with fields='all' (which can let clients set any writable model fields unless callers or models explicitly restrict writes).
🔴 Potential Mass Assignment Vulnerability in
|
| Vulnerability | Potential Mass Assignment Vulnerability |
|---|---|
| Description | The code unpacks request.data (user-controlled) into keyword arguments when calling dojo_dispatch_task (dojo_dispatch_task(task, engagement.id, **request.data)). If the dispatched Celery task (retrieved from jira_services.get_epic_task) or the downstream helper accepts arbitrary kwargs and applies them to model updates without explicit allowlisting, this could allow mass-assignment of model fields. The patch shows no explicit filtering of request.data before unpacking here; the new jira services wrapper only returns helper task functions and does not sanitize request data. I could not find the implementation of dojo_dispatch_task or the actual epic task in the provided patch to prove they sanitize or validate kwargs, so the use of **request.data is potentially unsafe. |
django-DefectDojo/dojo/api_v2/views.py
Lines 719 to 722 in 15261f3
🟠 Potential Mass Assignment Vulnerability in dojo/jira/api/serializers.py (drs_84bb6ed7)
| Vulnerability | Potential Mass Assignment Vulnerability |
|---|---|
| Description | The JIRA API serializers use ModelSerializer with fields='all', which would normally allow clients to set any writable model fields. The patch introduces JIRAIssueSerializer, JIRAInstanceSerializer, and JIRAProjectSerializer with fields='all' and only limited custom validation for a few fields. There is no explicit allowlist (e.g. .validated() or .only()) in the serializers themselves and many callers in the PR pass serializer data through create/update flows that may persist model fields. However, model-level protections (like Django model field write protections) and view-level usage determine actual exposure. |
django-DefectDojo/dojo/jira/api/serializers.py
Lines 17 to 19 in 15261f3
We've notified @mtesauro.
Comment to provide feedback on these findings.
Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]
Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing
All finding details can be found in the DryRun Security Dashboard.
blakeaowens
approved these changes
Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Extracts all Jira integration code into a dedicated
dojo/jirapackage and introducesdojo/jira/services.pyas the single entry point for the rest of the application. The goal is to remove direct coupling between core models/forms/views/importers and Jira internals so the Jira module can evolve without touching consumers across the codebase.What changed:
dojo/jira_link/→dojo/jira/and addedmodels.py,forms.py, andapi/{serializers,views}.pyto hold the Jira-specific pieces previously embedded indojo/models.py,dojo/forms.py, anddojo/api_v2/.dojo/jira/services.py(service-layer module matching theservices.pyconvention used elsewhere, e.g.dojo/engagement/services.py) exposing the public Jira surface consumed by non-Jira modules. Each wrapper is a one-line delegation todojo.jira.helper, lazy-imported inside the module to break the import cycle betweendojo.forms/dojo.models/dojo.utilsanddojo.jira.helper. Real Jira errors propagate to callers instead of being swallowed.dojo/models.py,dojo/forms.py,dojo/api_v2/{serializers,views}.py,dojo/finding/{helper,views}.py,dojo/finding_group/views.py,dojo/engagement/{services,views}.py,dojo/product/views.py,dojo/test/views.py,dojo/risk_acceptance/helper.py,dojo/templatetags/display_tags.py,dojo/importers/*,dojo/tasks.py, anddojo/utils.py(SLA notifications). Management commands (jira_async_updates,jira_refactor_data_migration,jira_status_reconciliation,push_to_jira_update) updated to import from the new package..dryrunsecurity.yamlsensitive-codepaths glob updated to trackdojo/jira/**.No behavior change is intended — this is a code-move / import-boundary cleanup. No DB schema changes and no new settings.