def view_test(request, tid): test = Test.objects.get(id=tid) prod = test.engagement.product auth = request.user.is_staff or request.user in prod.authorized_users.all() if not auth: # will render 403 raise PermissionDenied notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter( test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter( engagement=test.engagement).select_related('cred_id').order_by( 'cred_id') if request.method == 'POST' and request.user.is_staff: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri( reverse("view_test", args=(test.id, ))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) return render( request, 'dojo/view_test.html', { 'test': test, 'product_tab': product_tab, 'findings': fpage, 'findings_count': findings.count(), 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test })
def view_test(request, tid): test = Test.objects.get(id=tid) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test) stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter( test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter( engagement=test.engagement).select_related('cred_id').order_by( 'cred_id') if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri( reverse("view_test", args=(test.id, ))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) ajax_url = reverse('api_dispatch_list', kwargs={ 'resource_name': 'stub_findings', 'api_name': 'v1_a' }) add_breadcrumb(parent=test, top_level=False, request=request) return render( request, 'dojo/view_test.html', { 'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'ajax_url': ajax_url, 'creds': creds, 'cred_test': cred_test })
def view_test(request, tid): test = Test.objects.get(id=tid) prod = test.engagement.product auth = request.user.is_staff or request.user in prod.authorized_users.all() if not auth: # will render 403 raise PermissionDenied notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter(test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter(engagement=test.engagement).select_related('cred_id').order_by('cred_id') if request.method == 'POST' and request.user.is_staff: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) return render(request, 'dojo/view_test.html', {'test': test, 'product_tab': product_tab, 'findings': fpage, 'findings_count': findings.count(), 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test })
def view_test(request, tid): if request.user.is_superuser: test = get_object_or_404(Test, id=tid) else: test = get_object_or_404(Test, id=tid, engagement__product__authorized_users__in=[request.user]) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('-score') stub_findings = Stub_Finding.objects.filter(test=test) if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) add_breadcrumb(parent=test, top_level=False, request=request) return render(request, 'dojo/view_test.html', {'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, })
def view_test(request, tid): test = Test.objects.get(id=tid) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test) stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter(test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter(engagement=test.engagement).select_related('cred_id').order_by('cred_id') if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) add_breadcrumb(parent=test, top_level=False, request=request) return render(request, 'dojo/view_test.html', {'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test })
def view_finding(request, fid): finding = get_object_or_404(Finding, id=fid) user = request.user try: jissue = JIRA_Issue.objects.get(finding=finding) except: jissue = None pass try: jpkey = JIRA_PKey.objects.get(product=finding.test.engagement.product) jconf = jpkey.conf except: jconf = None pass dojo_user = get_object_or_404(Dojo_User, id=user.id) if user.is_staff or user in finding.test.engagement.product.authorized_users.all( ): pass # user is authorized for this product else: raise PermissionDenied notes = finding.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() finding.notes.add(new_note) finding.last_reviewed = new_note.date finding.last_reviewed_by = user finding.save() if jissue is not None: add_comment_task(finding, new_note) form = NoteForm() url = request.build_absolute_uri( reverse("view_finding", args=(finding.id, ))) title = "Finding: " + finding.title process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note saved.', extra_tags='alert-success') else: form = NoteForm() try: reqres = BurpRawRequestResponse.objects.get(finding=finding) burp_request = base64.b64decode(reqres.burpRequestBase64) burp_response = base64.b64decode(reqres.burpResponseBase64) except: reqres = None burp_request = None burp_response = None add_breadcrumb(parent=finding, top_level=False, request=request) return render( request, 'dojo/view_finding.html', { 'finding': finding, 'burp_request': burp_request, 'jissue': jissue, 'jconf': jconf, 'burp_response': burp_response, 'dojo_user': dojo_user, 'user': user, 'notes': notes, 'form': form })
def view_test(request, tid): test_prefetched = get_authorized_tests(Permissions.Test_View) test_prefetched = test_prefetched.annotate( total_reimport_count=Count('test_import__id', distinct=True)) # tests_prefetched = test_prefetched.prefetch_related(Prefetch('test_import_set', queryset=Test_Import.objects.filter(~Q(findings_affected=None)))) # tests_prefetched = test_prefetched.prefetch_related('test_import_set') # test_prefetched = test_prefetched.prefetch_related('test_import_set__test_import_finding_action_set') test = get_object_or_404(test_prefetched, pk=tid) # test = get_object_or_404(Test, pk=tid) prod = test.engagement.product notes = test.notes.all() note_type_activation = Note_Type.objects.filter(is_active=True).count() if note_type_activation: available_note_types = find_available_notetypes(notes) files = test.files.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') findings = FindingFilter(request.GET, queryset=findings) stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter( test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter( engagement=test.engagement).select_related('cred_id').order_by( 'cred_id') system_settings = get_object_or_404(System_Settings, id=1) if request.method == 'POST': user_has_permission_or_403(request.user, test, Permissions.Note_Add) if note_type_activation: form = TypedNoteForm(request.POST, available_note_types=available_note_types) else: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() url = request.build_absolute_uri( reverse("view_test", args=(test.id, ))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() title_words = get_words_for_field(Finding, 'title') component_words = get_words_for_field(Finding, 'component_name') # test_imports = test.test_import_set.all() test_imports = Test_Import.objects.filter(test=test) test_import_filter = TestImportFilter(request.GET, test_imports) paged_test_imports = get_page_items_and_count(request, test_import_filter.qs, 5, prefix='test_imports') paged_test_imports.object_list = paged_test_imports.object_list.prefetch_related( 'test_import_finding_action_set') paged_findings = get_page_items_and_count(request, prefetch_for_findings( findings.qs), 25, prefix='findings') paged_stub_findings = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in get_choices_sorted()) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) jira_project = jira_helper.get_jira_project(test) finding_groups = test.finding_group_set.all().prefetch_related( 'findings', 'jira_issue', 'creator') bulk_edit_form = FindingBulkUpdateForm(request.GET) google_sheets_enabled = system_settings.enable_google_sheets sheet_url = None if google_sheets_enabled and system_settings.credentials: spreadsheet_name = test.engagement.product.name + "-" + test.engagement.name + "-" + str( test.id) system_settings = get_object_or_404(System_Settings, id=1) service_account_info = json.loads(system_settings.credentials) SCOPES = ['https://www.googleapis.com/auth/drive'] credentials = service_account.Credentials.from_service_account_info( service_account_info, scopes=SCOPES) try: drive_service = googleapiclient.discovery.build( 'drive', 'v3', credentials=credentials, cache_discovery=False) folder_id = system_settings.drive_folder_ID gs_files = drive_service.files().list( q="mimeType='application/vnd.google-apps.spreadsheet' and parents in '%s' and name='%s'" % (folder_id, spreadsheet_name), spaces='drive', pageSize=10, fields='files(id, name)').execute() except googleapiclient.errors.HttpError: messages.add_message( request, messages.ERROR, "There is a problem with the Google Sheets Sync Configuration. Contact your system admin to solve the issue. Until fixed, the Google Sheets Sync feature cannot be used.", extra_tags="alert-danger", ) google_sheets_enabled = False except httplib2.ServerNotFoundError: messages.add_message( request, messages.ERROR, "Unable to reach the Google Sheet API.", extra_tags="alert-danger", ) else: spreadsheets = gs_files.get('files') if len(spreadsheets) == 1: spreadsheetId = spreadsheets[0].get('id') sheet_url = 'https://docs.google.com/spreadsheets/d/' + spreadsheetId return render( request, 'dojo/view_test.html', { 'test': test, 'prod': prod, 'product_tab': product_tab, 'findings': paged_findings, 'filtered': findings, 'stub_findings': paged_stub_findings, 'title_words': title_words, 'component_words': component_words, 'form': form, 'notes': notes, 'files': files, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test, 'jira_project': jira_project, 'show_export': google_sheets_enabled and system_settings.credentials, 'sheet_url': sheet_url, 'bulk_edit_form': bulk_edit_form, 'paged_test_imports': paged_test_imports, 'test_import_filter': test_import_filter, 'finding_groups': finding_groups, 'finding_group_by_options': Finding_Group.GROUP_BY_OPTIONS, })
def view_test(request, tid): test = get_object_or_404(Test, pk=tid) prod = test.engagement.product tags = Tag.objects.usage_for_model(Finding) notes = test.notes.all() note_type_activation = Note_Type.objects.filter(is_active=True).count() if note_type_activation: available_note_types = find_available_notetypes(notes) person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') findings = OpenFindingFilter(request.GET, queryset=findings) stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter( test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter( engagement=test.engagement).select_related('cred_id').order_by( 'cred_id') system_settings = get_object_or_404(System_Settings, id=1) if request.method == 'POST' and request.user.is_staff: if note_type_activation: form = TypedNoteForm(request.POST, available_note_types=available_note_types) else: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() url = request.build_absolute_uri( reverse("view_test", args=(test.id, ))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() title_words = get_words_for_field(findings.qs, 'title') component_words = get_words_for_field(findings.qs, 'component_name') paged_findings, total_findings_count = get_page_items_and_count( request, prefetch_for_findings(findings.qs), 25) paged_stub_findings = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) jira_config = JIRA_PKey.objects.filter(product=prod.id).first() if jira_config: jira_config = jira_config.conf_id google_sheets_enabled = system_settings.enable_google_sheets sheet_url = None if google_sheets_enabled: spreadsheet_name = test.engagement.product.name + "-" + test.engagement.name + "-" + str( test.id) system_settings = get_object_or_404(System_Settings, id=1) service_account_info = json.loads(system_settings.credentials) SCOPES = ['https://www.googleapis.com/auth/drive'] credentials = service_account.Credentials.from_service_account_info( service_account_info, scopes=SCOPES) try: drive_service = googleapiclient.discovery.build( 'drive', 'v3', credentials=credentials, cache_discovery=False) folder_id = system_settings.drive_folder_ID files = drive_service.files().list( q="mimeType='application/vnd.google-apps.spreadsheet' and parents in '%s' and name='%s'" % (folder_id, spreadsheet_name), spaces='drive', pageSize=10, fields='files(id, name)').execute() except googleapiclient.errors.HttpError: messages.add_message( request, messages.ERROR, "There is a problem with the Google Sheets Sync Configuration. Contact your system admin to solve the issue. Until fixed Google Shet Sync feature can not be used.", extra_tags="alert-danger", ) google_sheets_enabled = False except httplib2.ServerNotFoundError: messages.add_message( request, messages.ERROR, "Unable to reach the Google Sheet API.", extra_tags="alert-danger", ) else: spreadsheets = files.get('files') if len(spreadsheets) == 1: spreadsheetId = spreadsheets[0].get('id') sheet_url = 'https://docs.google.com/spreadsheets/d/' + spreadsheetId return render( request, 'dojo/view_test.html', { 'test': test, 'product_tab': product_tab, 'findings': paged_findings, 'filtered': findings, 'findings_count': total_findings_count, 'stub_findings': paged_stub_findings, 'title_words': title_words, 'component_words': component_words, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test, 'tag_input': tags, 'jira_config': jira_config, 'show_export': google_sheets_enabled, 'sheet_url': sheet_url })
def view_finding(request, fid): finding = get_object_or_404(Finding, id=fid) cred_finding = Cred_Mapping.objects.filter(finding=finding.id).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter(test=finding.test.id).select_related('cred_id').order_by('cred_id') cred_engagement = Cred_Mapping.objects.filter(engagement=finding.test.engagement.id).select_related('cred_id').order_by('cred_id') user = request.user try: jissue = JIRA_Issue.objects.get(finding=finding) except: jissue = None pass try: jpkey = JIRA_PKey.objects.get(product=finding.test.engagement.product) jconf = jpkey.conf except: jconf = None pass dojo_user = get_object_or_404(Dojo_User, id=user.id) if user.is_staff or user in finding.test.engagement.product.authorized_users.all(): pass # user is authorized for this product else: raise PermissionDenied notes = finding.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() finding.notes.add(new_note) finding.last_reviewed = new_note.date finding.last_reviewed_by = user finding.save() if jissue is not None: add_comment_task(finding, new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_finding", args=(finding.id,))) title= "Finding: "+ finding.title process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note saved.', extra_tags='alert-success') else: form = NoteForm() try: reqres = BurpRawRequestResponse.objects.get(finding=finding) burp_request = base64.b64decode(reqres.burpRequestBase64) burp_response = base64.b64decode(reqres.burpResponseBase64) except: reqres = None burp_request = None burp_response = None add_breadcrumb(parent=finding, top_level=False, request=request) return render(request, 'dojo/view_finding.html', {'finding': finding, 'burp_request': burp_request, 'jissue': jissue, 'jconf': jconf, 'cred_finding': cred_finding, 'creds': creds, 'cred_engagement': cred_engagement, 'burp_response': burp_response, 'dojo_user': dojo_user, 'user': user, 'notes': notes, 'form': form, 'found_by': finding.found_by.all().distinct()})