Skip to content

Add notes management to RiskAcceptanceViewSet #14173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Maffooch wants to merge 2 commits into
base: permission-class-undusting
Choose a base branch
from
Open

Add notes management to RiskAcceptanceViewSet #14173

Maffooch wants to merge 2 commits into from
+80 −0

Conversation

@Maffooch
Copy link
Contributor

@Maffooch Maffooch commented Jan 27, 2026

Implement notes management for the RiskAcceptanceViewSet, allowing users to retrieve and add notes associated with risk acceptance entries. This enhancement includes GET and POST actions for managing notes effectively.

@Maffooch Maffooch requested a review from mtesauro as a code owner January 27, 2026 00:53
@github-actions github-actions bot added the apiv2 label Jan 27, 2026
@dryrunsecurity
Copy link

dryrunsecurity bot commented Jan 27, 2026

DryRun Security

This pull request introduces a race condition in RiskAcceptanceViewSet: the notes action uses a check-then-act pattern to enforce a single-note-per-type rule without using transactions or locks, so concurrent requests can both pass the check and create duplicate 'single' type notes, violating the intended business restriction.

Race Condition in dojo/api_v2/views.py
Vulnerability Race Condition
Description The notes action in RiskAcceptanceViewSet implements a check-then-act pattern to enforce that only one note of a specific 'single' type can be added to a risk acceptance. However, this check is performed without database transactions or locking. Concurrent requests can both pass the initial check before either has created the new note, leading to multiple notes of the same 'single' type being associated with the risk acceptance, bypassing the intended business logic restriction.

django-DefectDojo/dojo/api_v2/views.py

Lines 793 to 796 in 2d87740

if notes and note_type and note_type.is_single:
return Response("Only one instance of this note_type allowed on a risk acceptance.", status=status.HTTP_400_BAD_REQUEST)
author = request.user

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch added this to the 2.55.0 milestone Jan 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@Jino-T Jino-T Awaiting requested review from Jino-T

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

Assignees

No one assigned

Labels

apiv2

Projects

None yet

Milestone

2.55.0

Development

Successfully merging this pull request may close these issues.

3 participants

@Maffooch @valentijnscholten