def view_tool_product(request, pid, ttid): tool = Tool_Product_Settings.objects.get(pk=ttid) notes = tool.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() tool.notes.add(new_note) form = NoteForm() # url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) # title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name) # process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() add_breadcrumb(title="View Product Tool Configuration", top_level=False, request=request) return render(request, 'dojo/view_tool_product.html', { 'tool': tool, 'notes': notes, 'form': form })
def view_tool_product(request, pid, ttid): tool = Tool_Product_Settings.objects.get(pk=ttid) notes = tool.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() tool.notes.add(new_note) form = NoteForm() # url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) # title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name) # process_notifications(request, new_note, url, title) messages.add_message( request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() add_breadcrumb( title="View Product Tool Configuration", top_level=False, request=request) return render(request, 'dojo/view_tool_product.html', { 'tool': tool, 'notes': notes, 'form': form })
def view_cred_details(request, ttid): cred = Cred_User.objects.get(pk=ttid) notes = cred.notes.all() cred_products = Cred_Mapping.objects.select_related('product').filter( product_id__isnull=False, cred_id=ttid).order_by('product__name') if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() cred.notes.add(new_note) form = NoteForm() messages.add_message( request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() add_breadcrumb(title="View", top_level=False, request=request) return render(request, 'dojo/view_cred_details.html', { 'cred': cred, 'form': form, 'notes': notes, 'cred_products': cred_products })
def view_test(request, tid): test = Test.objects.get(id=tid) prod = test.engagement.product auth = request.user.is_staff or request.user in prod.authorized_users.all() if not auth: # will render 403 raise PermissionDenied notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter( test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter( engagement=test.engagement).select_related('cred_id').order_by( 'cred_id') if request.method == 'POST' and request.user.is_staff: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri( reverse("view_test", args=(test.id, ))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) return render( request, 'dojo/view_test.html', { 'test': test, 'product_tab': product_tab, 'findings': fpage, 'findings_count': findings.count(), 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test })
def view_test(request, tid): test = Test.objects.get(id=tid) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test) stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter( test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter( engagement=test.engagement).select_related('cred_id').order_by( 'cred_id') if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri( reverse("view_test", args=(test.id, ))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) ajax_url = reverse('api_dispatch_list', kwargs={ 'resource_name': 'stub_findings', 'api_name': 'v1_a' }) add_breadcrumb(parent=test, top_level=False, request=request) return render( request, 'dojo/view_test.html', { 'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'ajax_url': ajax_url, 'creds': creds, 'cred_test': cred_test })
def edit_issue(request, id, page, objid): note = get_object_or_404(Notes, id=id) reverse_url = None object_id = None if page is None or str( request.user ) != note.author.username and not request.user.is_superuser: raise PermissionDenied if page == "test": object = get_object_or_404(Test, id=objid) object_id = object.id reverse_url = "view_test" elif page == "finding": object = get_object_or_404(Finding, id=objid) object_id = object.id reverse_url = "view_finding" if request.method == 'POST': form = NoteForm(request.POST, instance=note) if form.is_valid(): note = form.save(commit=False) note.edited = True note.editor = request.user note.edit_time = timezone.now() history = NoteHistory(data=note.entry, time=note.edit_time, current_editor=note.editor) history.save() note.history.add(history) note.save() object.last_reviewed = note.date object.last_reviewed_by = request.user object.save() form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note edited.', extra_tags='alert-success') return HttpResponseRedirect( reverse(reverse_url, args=(object_id, ))) else: messages.add_message(request, messages.SUCCESS, 'Note was not succesfully edited.', extra_tags='alert-danger') else: form = NoteForm(instance=note) return render(request, 'dojo/edit_note.html', { 'note': note, 'form': form, 'page': page, 'objid': objid, })
def view_test(request, tid): test = Test.objects.get(id=tid) prod = test.engagement.product auth = request.user.is_staff or request.user in prod.authorized_users.all() if not auth: # will render 403 raise PermissionDenied notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter(test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter(engagement=test.engagement).select_related('cred_id').order_by('cred_id') if request.method == 'POST' and request.user.is_staff: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) return render(request, 'dojo/view_test.html', {'test': test, 'product_tab': product_tab, 'findings': fpage, 'findings_count': findings.count(), 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test })
def view_cred_finding(request, fid, ttid): cred = get_object_or_404( Cred_Mapping.objects.select_related('cred_id'), id=ttid) cred_product = Cred_Mapping.objects.filter( cred_id=cred.cred_id.id, product=cred.finding.test.engagement.product.id).first() notes = cred.cred_id.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() cred.cred_id.notes.add(new_note) form = NoteForm() messages.add_message( request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() add_breadcrumb( title="Credential Manager", top_level=False, request=request) cred_type = "Finding" edit_link = None view_link = reverse( 'view_cred_finding', args=( fid, cred.id, )) delete_link = reverse( 'delete_cred_finding', args=( fid, cred.id, )) return render( request, 'dojo/view_cred_all_details.html', { 'cred': cred, 'form': form, 'notes': notes, 'cred_type': cred_type, 'edit_link': edit_link, 'delete_link': delete_link, 'cred_product': cred_product })
def view_finding(request, fid): finding = get_object_or_404(Finding, id=fid) user = request.user if user.is_staff or user in finding.test.engagement.product.authorized_users.all( ): pass # user is authorized for this product else: raise PermissionDenied notes = finding.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() finding.notes.add(new_note) finding.last_reviewed = new_note.date finding.last_reviewed_by = user finding.save() form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note saved.', extra_tags='alert-success') else: form = NoteForm() try: reqres = BurpRawRequestResponse.objects.get(finding=finding) burp_request = base64.b64decode(reqres.burpRequestBase64) burp_response = base64.b64decode(reqres.burpResponseBase64) except: reqres = None burp_request = None burp_response = None add_breadcrumb(parent=finding, top_level=False, request=request) return render( request, 'dojo/view_finding.html', { 'finding': finding, 'burp_request': burp_request, 'burp_response': burp_response, 'user': user, 'notes': notes, 'form': form })
def view_test(request, tid): test = Test.objects.get(id=tid) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test) stub_findings = Stub_Finding.objects.filter(test=test) if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() test.notes.add(new_note) form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) ajax_url = reverse('api_dispatch_list', kwargs={ 'resource_name': 'stub_findings', 'api_name': 'v1_a' }) add_breadcrumb(parent=test, top_level=False, request=request) return render( request, 'dojo/view_test.html', { 'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'ajax_url': ajax_url, })
def view_test(request, tid): if request.user.is_superuser: test = get_object_or_404(Test, id=tid) else: test = get_object_or_404(Test, id=tid, engagement__product__authorized_users__in=[request.user]) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('-score') stub_findings = Stub_Finding.objects.filter(test=test) if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) add_breadcrumb(parent=test, top_level=False, request=request) return render(request, 'dojo/view_test.html', {'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, })
def view_finding(request, fid): finding = get_object_or_404(Finding, id=fid) user = request.user if (user.is_staff or user in finding.test.engagement.product.authorized_users.all()): pass # user is authorized for this product else: raise PermissionDenied notes = finding.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() finding.notes.add(new_note) finding.last_reviewed = new_note.date finding.last_reviewed_by = user finding.save() form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note saved.', extra_tags='alert-success') else: form = NoteForm() try: reqres = BurpRawRequestResponse.objects.get(finding=finding) burp_request = base64.b64decode(reqres.burpRequestBase64) burp_response = base64.b64decode(reqres.burpResponseBase64) except: reqres = None burp_request = None burp_response = None add_breadcrumb(parent=finding, top_level=False, request=request) return render(request, 'dojo/view_finding.html', {'finding': finding, 'burp_request': burp_request, 'burp_response': burp_response, 'user': user, 'notes': notes, 'form': form})
def view_test(request, tid): test = Test.objects.get(id=tid) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test) stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter(test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter(engagement=test.engagement).select_related('cred_id').order_by('cred_id') if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) add_breadcrumb(parent=test, top_level=False, request=request) return render(request, 'dojo/view_test.html', {'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test })
def view_test(request, tid): test = Test.objects.get(id=tid) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test) stub_findings = Stub_Finding.objects.filter(test=test) if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() test.notes.add(new_note) form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) ajax_url = reverse('api_dispatch_list', kwargs={'resource_name': 'stub_findings', 'api_name': 'v1_a'}) add_breadcrumb(parent=test, top_level=False, request=request) return render(request, 'dojo/view_test.html', {'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'ajax_url': ajax_url, })
def view_edit_risk_acceptance(request, eid, raid, edit_mode=False): risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid) eng = get_object_or_404(Engagement, pk=eid) if edit_mode and not eng.product.enable_full_risk_acceptance: raise PermissionDenied() risk_acceptance_form = None errors = False if request.method == 'POST': # deleting before instantiating the form otherwise django messes up and we end up with an empty path value if len(request.FILES) > 0: logger.debug('new proof uploaded') risk_acceptance.path.delete() if 'decision' in request.POST: old_expiration_date = risk_acceptance.expiration_date risk_acceptance_form = EditRiskAcceptanceForm(request.POST, request.FILES, instance=risk_acceptance) errors = errors or not risk_acceptance_form.is_valid() if not errors: logger.debug('path: %s', risk_acceptance_form.cleaned_data['path']) risk_acceptance_form.save() if risk_acceptance.expiration_date != old_expiration_date: # risk acceptance was changed, check if risk acceptance needs to be reinstated and findings made accepted again ra_helper.reinstate(risk_acceptance, old_expiration_date) messages.add_message( request, messages.SUCCESS, 'Risk Acceptance saved successfully.', extra_tags='alert-success') if 'entry' in request.POST: note_form = NoteForm(request.POST) errors = errors or not note_form.is_valid() if not errors: new_note = note_form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() risk_acceptance.notes.add(new_note) messages.add_message( request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') if 'delete_note' in request.POST: note = get_object_or_404(Notes, pk=request.POST['delete_note_id']) if note.author.username == request.user.username: risk_acceptance.notes.remove(note) note.delete() messages.add_message( request, messages.SUCCESS, 'Note deleted successfully.', extra_tags='alert-success') else: messages.add_message( request, messages.ERROR, "Since you are not the note's author, it was not deleted.", extra_tags='alert-danger') if 'remove_finding' in request.POST: finding = get_object_or_404( Finding, pk=request.POST['remove_finding_id']) ra_helper.remove_finding_from_risk_acceptance(risk_acceptance, finding) messages.add_message( request, messages.SUCCESS, 'Finding removed successfully from risk acceptance.', extra_tags='alert-success') if 'replace_file' in request.POST: replace_form = ReplaceRiskAcceptanceProofForm( request.POST, request.FILES, instance=risk_acceptance) errors = errors or not replace_form.is_valid() if not errors: replace_form.save() messages.add_message( request, messages.SUCCESS, 'New Proof uploaded successfully.', extra_tags='alert-success') else: logger.error(replace_form.errors) if 'add_findings' in request.POST: add_findings_form = AddFindingsRiskAcceptanceForm( request.POST, request.FILES, instance=risk_acceptance) errors = errors or not add_findings_form.is_valid() if not errors: findings = add_findings_form.cleaned_data['accepted_findings'] ra_helper.add_findings_to_risk_acceptance(risk_acceptance, findings) messages.add_message( request, messages.SUCCESS, 'Finding%s added successfully.' % ('s' if len(findings) > 1 else ''), extra_tags='alert-success') if not errors: logger.debug('redirecting to return_url') return redirect_to_return_url_or_else(request, reverse("view_risk_acceptance", args=(eid, raid))) else: logger.error('errors found') else: if edit_mode: risk_acceptance_form = EditRiskAcceptanceForm(instance=risk_acceptance) note_form = NoteForm() replace_form = ReplaceRiskAcceptanceProofForm(instance=risk_acceptance) add_findings_form = AddFindingsRiskAcceptanceForm(instance=risk_acceptance) accepted_findings = risk_acceptance.accepted_findings.order_by('numerical_severity') fpage = get_page_items(request, accepted_findings, 15) unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=accepted_findings).order_by("title") add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage') # on this page we need to add unaccepted findings as possible findings to add as accepted add_findings_form.fields[ "accepted_findings"].queryset = add_fpage.object_list product_tab = Product_Tab(eng.product.id, title="Risk Acceptance", tab="engagements") product_tab.setEngagement(eng) return render( request, 'dojo/view_risk_acceptance.html', { 'risk_acceptance': risk_acceptance, 'engagement': eng, 'product_tab': product_tab, 'accepted_findings': fpage, 'notes': risk_acceptance.notes.all(), 'eng': eng, 'edit_mode': edit_mode, 'risk_acceptance_form': risk_acceptance_form, 'note_form': note_form, 'replace_form': replace_form, 'add_findings_form': add_findings_form, # 'show_add_findings_form': len(unaccepted_findings), 'request': request, 'add_findings': add_fpage, 'return_url': get_return_url(request), })
def view_finding(request, fid): finding = get_object_or_404(Finding, id=fid) user = request.user try: jissue = JIRA_Issue.objects.get(finding=finding) except: jissue = None pass try: jpkey = JIRA_PKey.objects.get(product=finding.test.engagement.product) jconf = jpkey.conf except: jconf = None pass dojo_user = get_object_or_404(Dojo_User, id=user.id) if user.is_staff or user in finding.test.engagement.product.authorized_users.all( ): pass # user is authorized for this product else: raise PermissionDenied notes = finding.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() finding.notes.add(new_note) finding.last_reviewed = new_note.date finding.last_reviewed_by = user finding.save() if jissue is not None: add_comment_task(finding, new_note) form = NoteForm() url = request.build_absolute_uri( reverse("view_finding", args=(finding.id, ))) title = "Finding: " + finding.title process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note saved.', extra_tags='alert-success') else: form = NoteForm() try: reqres = BurpRawRequestResponse.objects.get(finding=finding) burp_request = base64.b64decode(reqres.burpRequestBase64) burp_response = base64.b64decode(reqres.burpResponseBase64) except: reqres = None burp_request = None burp_response = None add_breadcrumb(parent=finding, top_level=False, request=request) return render( request, 'dojo/view_finding.html', { 'finding': finding, 'burp_request': burp_request, 'jissue': jissue, 'jconf': jconf, 'burp_response': burp_response, 'dojo_user': dojo_user, 'user': user, 'notes': notes, 'form': form })
def view_risk(request, eid, raid): risk_approval = get_object_or_404(Risk_Acceptance, pk=raid) eng = get_object_or_404(Engagement, pk=eid) if (request.user.is_staff or request.user in eng.product.authorized_users.all()): pass else: raise PermissionDenied a_file = risk_approval.path if request.method == 'POST': note_form = NoteForm(request.POST) if note_form.is_valid(): new_note = note_form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() risk_approval.notes.add(new_note) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') if 'delete_note' in request.POST: note = get_object_or_404(Notes, pk=request.POST['delete_note_id']) if note.author.username == request.user.username: risk_approval.notes.remove(note) note.delete() messages.add_message(request, messages.SUCCESS, 'Note deleted successfully.', extra_tags='alert-success') else: messages.add_message( request, messages.ERROR, "Since you are not the note's author, it was not deleted.", extra_tags='alert-danger') if 'remove_finding' in request.POST: finding = get_object_or_404(Finding, pk=request.POST['remove_finding_id']) risk_approval.accepted_findings.remove(finding) finding.active = True finding.save() messages.add_message(request, messages.SUCCESS, 'Finding removed successfully.', extra_tags='alert-success') if 'replace_file' in request.POST: replace_form = ReplaceRiskAcceptanceForm(request.POST, request.FILES, instance=risk_approval) if replace_form.is_valid(): risk_approval.path.delete(save=False) risk_approval.path = replace_form.cleaned_data['path'] risk_approval.save() messages.add_message(request, messages.SUCCESS, 'File replaced successfully.', extra_tags='alert-success') if 'add_findings' in request.POST: add_findings_form = AddFindingsRiskAcceptanceForm( request.POST, request.FILES, instance=risk_approval) if add_findings_form.is_valid(): findings = add_findings_form.cleaned_data['accepted_findings'] for finding in findings: finding.active = False finding.save() risk_approval.accepted_findings.add(finding) risk_approval.save() messages.add_message(request, messages.SUCCESS, 'Finding%s added successfully.' % ('s' if len(findings) > 1 else ''), extra_tags='alert-success') note_form = NoteForm() replace_form = ReplaceRiskAcceptanceForm() add_findings_form = AddFindingsRiskAcceptanceForm() exclude_findings = [ finding.id for ra in eng.risk_acceptance.all() for finding in ra.accepted_findings.all() ] findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=exclude_findings).order_by("title") add_fpage = get_page_items(request, findings, 10, 'apage') add_findings_form.fields[ "accepted_findings"].queryset = add_fpage.object_list fpage = get_page_items( request, risk_approval.accepted_findings.order_by('numerical_severity'), 15) authorized = (request.user == risk_approval.reporter.username or request.user.is_staff) add_breadcrumb(parent=risk_approval, top_level=False, request=request) return render( request, 'dojo/view_risk.html', { 'risk_approval': risk_approval, 'accepted_findings': fpage, 'notes': risk_approval.notes.all(), 'a_file': a_file, 'eng': eng, 'note_form': note_form, 'replace_form': replace_form, 'add_findings_form': add_findings_form, 'show_add_findings_form': len(findings), 'request': request, 'add_findings': add_fpage, 'authorized': authorized, })
def view_test(request, tid): test = Test.objects.get(id=tid) prod = test.engagement.product auth = request.user.is_staff or request.user in prod.authorized_users.all() tags = Tag.objects.usage_for_model(Finding) if not auth: # will render 403 raise PermissionDenied notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter(test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter(engagement=test.engagement).select_related('cred_id').order_by('cred_id') system_settings = get_object_or_404(System_Settings, id=1) if request.method == 'POST' and request.user.is_staff: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) jira_config = JIRA_PKey.objects.filter(product=prod.id).first() if jira_config: jira_config = jira_config.conf_id google_sheets_enabled = system_settings.enable_google_sheets sheet_url = None if google_sheets_enabled: spreadsheet_name = test.engagement.product.name + "-" + test.engagement.name + "-" + str(test.id) system_settings = get_object_or_404(System_Settings, id=1) service_account_info = json.loads(system_settings.credentials) SCOPES = ['https://www.googleapis.com/auth/drive'] credentials = service_account.Credentials.from_service_account_info(service_account_info, scopes=SCOPES) try: drive_service = googleapiclient.discovery.build('drive', 'v3', credentials=credentials) folder_id = system_settings.drive_folder_ID files = drive_service.files().list(q="mimeType='application/vnd.google-apps.spreadsheet' and parents in '%s' and name='%s'" % (folder_id, spreadsheet_name), spaces='drive', pageSize=10, fields='files(id, name)').execute() except googleapiclient.errors.HttpError: messages.add_message( request, messages.ERROR, "There is a problem with the Google Sheets Sync Configuration. Contact your system admin to solve the issue. Until fixed Google Shet Sync feature can not be used.", extra_tags="alert-danger", ) google_sheets_enabled = False except httplib2.ServerNotFoundError: messages.add_message( request, messages.ERROR, "Unable to reach the Google Sheet API.", extra_tags="alert-danger", ) else: spreadsheets = files.get('files') if len(spreadsheets) == 1: spreadsheetId = spreadsheets[0].get('id') sheet_url = 'https://docs.google.com/spreadsheets/d/' + spreadsheetId return render(request, 'dojo/view_test.html', {'test': test, 'product_tab': product_tab, 'findings': fpage, 'findings_count': findings.count(), 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test, 'tag_input': tags, 'jira_config': jira_config, 'show_export': google_sheets_enabled, 'sheet_url': sheet_url })
def view_finding(request, fid): finding = get_object_or_404(Finding, id=fid) cred_finding = Cred_Mapping.objects.filter(finding=finding.id).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter(test=finding.test.id).select_related('cred_id').order_by('cred_id') cred_engagement = Cred_Mapping.objects.filter(engagement=finding.test.engagement.id).select_related('cred_id').order_by('cred_id') user = request.user try: jissue = JIRA_Issue.objects.get(finding=finding) except: jissue = None pass try: jpkey = JIRA_PKey.objects.get(product=finding.test.engagement.product) jconf = jpkey.conf except: jconf = None pass dojo_user = get_object_or_404(Dojo_User, id=user.id) if user.is_staff or user in finding.test.engagement.product.authorized_users.all(): pass # user is authorized for this product else: raise PermissionDenied notes = finding.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() finding.notes.add(new_note) finding.last_reviewed = new_note.date finding.last_reviewed_by = user finding.save() if jissue is not None: add_comment_task(finding, new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_finding", args=(finding.id,))) title= "Finding: "+ finding.title process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note saved.', extra_tags='alert-success') else: form = NoteForm() try: reqres = BurpRawRequestResponse.objects.get(finding=finding) burp_request = base64.b64decode(reqres.burpRequestBase64) burp_response = base64.b64decode(reqres.burpResponseBase64) except: reqres = None burp_request = None burp_response = None add_breadcrumb(parent=finding, top_level=False, request=request) return render(request, 'dojo/view_finding.html', {'finding': finding, 'burp_request': burp_request, 'jissue': jissue, 'jconf': jconf, 'cred_finding': cred_finding, 'creds': creds, 'cred_engagement': cred_engagement, 'burp_response': burp_response, 'dojo_user': dojo_user, 'user': user, 'notes': notes, 'form': form, 'found_by': finding.found_by.all().distinct()})
def view_risk(request, eid, raid): risk_approval = get_object_or_404(Risk_Acceptance, pk=raid) eng = get_object_or_404(Engagement, pk=eid) if (request.user.is_staff or request.user in eng.product.authorized_users.all()): pass else: raise PermissionDenied a_file = risk_approval.path if request.method == 'POST': note_form = NoteForm(request.POST) if note_form.is_valid(): new_note = note_form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() risk_approval.notes.add(new_note) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') if 'delete_note' in request.POST: note = get_object_or_404(Notes, pk=request.POST['delete_note_id']) if note.author.username == request.user.username: risk_approval.notes.remove(note) note.delete() messages.add_message(request, messages.SUCCESS, 'Note deleted successfully.', extra_tags='alert-success') else: messages.add_message( request, messages.ERROR, "Since you are not the note's author, it was not deleted.", extra_tags='alert-danger') if 'remove_finding' in request.POST: finding = get_object_or_404(Finding, pk=request.POST['remove_finding_id']) risk_approval.accepted_findings.remove(finding) finding.active = True finding.save() messages.add_message(request, messages.SUCCESS, 'Finding removed successfully.', extra_tags='alert-success') if 'replace_file' in request.POST: replace_form = ReplaceRiskAcceptanceForm( request.POST, request.FILES, instance=risk_approval) if replace_form.is_valid(): risk_approval.path.delete(save=False) risk_approval.path = replace_form.cleaned_data['path'] risk_approval.save() messages.add_message(request, messages.SUCCESS, 'File replaced successfully.', extra_tags='alert-success') if 'add_findings' in request.POST: add_findings_form = AddFindingsRiskAcceptanceForm( request.POST, request.FILES, instance=risk_approval) if add_findings_form.is_valid(): findings = add_findings_form.cleaned_data[ 'accepted_findings'] for finding in findings: finding.active = False finding.save() risk_approval.accepted_findings.add(finding) risk_approval.save() messages.add_message( request, messages.SUCCESS, 'Finding%s added successfully.' % ('s' if len(findings) > 1 else ''), extra_tags='alert-success') note_form = NoteForm() replace_form = ReplaceRiskAcceptanceForm() add_findings_form = AddFindingsRiskAcceptanceForm() exclude_findings = [finding.id for ra in eng.risk_acceptance.all() for finding in ra.accepted_findings.all()] findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=exclude_findings).order_by("title") add_fpage = get_page_items(request, findings, 10, 'apage') add_findings_form.fields[ "accepted_findings"].queryset = add_fpage.object_list fpage = get_page_items(request, risk_approval.accepted_findings.order_by( 'numerical_severity'), 15) authorized = (request.user == risk_approval.reporter.username or request.user.is_staff) add_breadcrumb(parent=risk_approval, top_level=False, request=request) return render(request, 'dojo/view_risk.html', {'risk_approval': risk_approval, 'accepted_findings': fpage, 'notes': risk_approval.notes.all(), 'a_file': a_file, 'eng': eng, 'note_form': note_form, 'replace_form': replace_form, 'add_findings_form': add_findings_form, 'show_add_findings_form': len(findings), 'request': request, 'add_findings': add_fpage, 'authorized': authorized, })
def view_risk(request, eid, raid): risk_approval = get_object_or_404(Risk_Acceptance, pk=raid) eng = get_object_or_404(Engagement, pk=eid) if request.user.is_staff or check_auth_users_list(request.user, eng): pass else: raise PermissionDenied a_file = risk_approval.path if request.method == 'POST': note_form = NoteForm(request.POST) if note_form.is_valid(): new_note = note_form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() risk_approval.notes.add(new_note) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') if 'delete_note' in request.POST: note = get_object_or_404(Notes, pk=request.POST['delete_note_id']) if note.author.username == request.user.username: risk_approval.notes.remove(note) note.delete() messages.add_message(request, messages.SUCCESS, 'Note deleted successfully.', extra_tags='alert-success') else: messages.add_message( request, messages.ERROR, "Since you are not the note's author, it was not deleted.", extra_tags='alert-danger') if 'remove_finding' in request.POST: finding = get_object_or_404(Finding, pk=request.POST['remove_finding_id']) risk_approval.accepted_findings.remove(finding) finding.active = True finding.save() messages.add_message(request, messages.SUCCESS, 'Finding removed successfully.', extra_tags='alert-success') if 'replace_file' in request.POST: replace_form = ReplaceRiskAcceptanceForm(request.POST, request.FILES, instance=risk_approval) if replace_form.is_valid(): risk_approval.path.delete(save=False) risk_approval.path = replace_form.cleaned_data['path'] risk_approval.save() messages.add_message(request, messages.SUCCESS, 'File replaced successfully.', extra_tags='alert-success') if 'add_findings' in request.POST: add_findings_form = AddFindingsRiskAcceptanceForm( request.POST, request.FILES, instance=risk_approval) if add_findings_form.is_valid(): findings = add_findings_form.cleaned_data['accepted_findings'] for finding in findings: finding.active = False finding.save() risk_approval.accepted_findings.add(finding) risk_approval.save() messages.add_message(request, messages.SUCCESS, 'Finding%s added successfully.' % ('s' if len(findings) > 1 else ''), extra_tags='alert-success') note_form = NoteForm() replace_form = ReplaceRiskAcceptanceForm() add_findings_form = AddFindingsRiskAcceptanceForm() accepted_findings = risk_approval.accepted_findings.order_by( 'numerical_severity') fpage = get_page_items(request, accepted_findings, 15) unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=accepted_findings).order_by("title") add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage') # on this page we need to add unaccepted findings as possible findings to add as accepted add_findings_form.fields[ "accepted_findings"].queryset = add_fpage.object_list authorized = (request.user == risk_approval.owner.username or request.user.is_staff) product_tab = Product_Tab(eng.product.id, title="Risk Exception", tab="engagements") product_tab.setEngagement(eng) return render( request, 'dojo/view_risk.html', { 'risk_approval': risk_approval, 'product_tab': product_tab, 'accepted_findings': fpage, 'notes': risk_approval.notes.all(), 'a_file': a_file, 'eng': eng, 'note_form': note_form, 'replace_form': replace_form, 'add_findings_form': add_findings_form, # 'show_add_findings_form': len(unaccepted_findings), 'request': request, 'add_findings': add_fpage, 'authorized': authorized, })