Rest Framework Tests: Isolate tests by request type

[Maffooch]

In an attempt to isolate various functions of the rest framework tests to create a more dependable testing environment, I stumbled upon the real issue here. When running the delete preview test (this is the one that is consistently failing), the first step in the test is to first get all objects in the database by calling the LIST endpoint, and then getting the first one in the list

The problem here is that MySQL and Postgres may be sorting things differently (from the minimal reading I have done so far) and can give a theory for why these issues only really appeared when switching databases for the unit tests

The solution here is going to be to add another parameter that will allow for specifying the ID of each test to making update/delete requests within these tests

[sc-6382]

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request are focused on improving the overall quality and security of the REST API implementation in the DefectDojo application. The main changes involve adding comprehensive unit tests for various REST API endpoints, covering different request types (Retrieve, List, Create, Update, Delete) and permission types (Object-based, Configuration-based). The tests ensure that the API endpoints are functioning as expected and that the responses are compliant with the defined OpenAPI 3 schema. From a security perspective, the changes address key aspects such as sensitive data handling, authorization checks, schema validation, and severity validation. These improvements help identify and prevent potential security vulnerabilities that may arise from incorrect or unexpected API behavior.

Files Changed:

• unittests/test_rest_framework.py: This file has been updated to include new tests for various REST API endpoints in the DefectDojo application. The tests are organized into different classes based on the type of requests (Retrieve, List, Create, Update, Delete) and the type of permissions (Object-based, Configuration-based). The tests cover scenarios such as retrieving a single object, retrieving a list of objects, creating a new object, updating an existing object, deleting an object, and checking authorization for object-based and configuration-based permissions. The tests also include specific tests for certain endpoints, such as finding request/response, file upload and download, and finding API. The changes demonstrate a strong focus on improving the security and reliability of the DefectDojo REST API.

Powered by DryRun Security

[mtesauro]

Approved