Fixing "'WSGIRequest' object has no attribute 'user'" errors

[cneill]

Description

This fixes an error that occurs in addition to the invalid host header error raised by Django when a user requests e.g. /favicon.ico via a non-allowed host.

django-defectdojo-uwsgi-1         |   File "/app/dojo/context_processors.py", line 38, in bind_alert_count
django-defectdojo-uwsgi-1         |     if request.user.is_authenticated:
django-defectdojo-uwsgi-1         |        ^^^^^^^^^^^^
django-defectdojo-uwsgi-1         | AttributeError: 'WSGIRequest' object has no attribute 'user'
django-defectdojo-uwsgi-1         | [pid: 14|app: -|req: -/-] 192.168.65.1 (-) {50 vars in 847 bytes} [Fri Jan 19 17:40:13 2024] GET /favicon.ico => generated 0 bytes in 554 msecs (HTTP/1.1 500) 0 headers in 0 bytes (0 switches on core 0)

Test results

Setting DD_ALLOWED_HOSTS=localhost when calling ./dc-up-d.sh and making a request to http://127.0.0.1:8080/favicon.ico, now raises the invalid host header exception as expected, but it doesn't produce a 500 error from the missing user attribute on the request object.

After fix:

django-defectdojo-uwsgi-1         | [19/Jan/2024 17:46:46] ERROR [django.security.DisallowedHost:125] Invalid HTTP_HOST header: '127.0.0.1:8080'. You may need to add '127.0.0.1' to ALLOWED_HOSTS.
django-defectdojo-uwsgi-1         | Traceback (most recent call last):
django-defectdojo-uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/django/core/handlers/exception.py", line 56, in inner
django-defectdojo-uwsgi-1         |     response = get_response(request)
django-defectdojo-uwsgi-1         |                ^^^^^^^^^^^^^^^^^^^^^
django-defectdojo-uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/django/utils/deprecation.py", line 135, in __call__
django-defectdojo-uwsgi-1         |     response = self.process_request(request)
django-defectdojo-uwsgi-1         |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
django-defectdojo-uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/django/middleware/common.py", line 48, in process_request
django-defectdojo-uwsgi-1         |     host = request.get_host()
django-defectdojo-uwsgi-1         |            ^^^^^^^^^^^^^^^^^^
django-defectdojo-uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/django/http/request.py", line 152, in get_host
django-defectdojo-uwsgi-1         |     raise DisallowedHost(msg)
django-defectdojo-uwsgi-1         | django.core.exceptions.DisallowedHost: Invalid HTTP_HOST header: '127.0.0.1:8080'. You may need to add '127.0.0.1' to ALLOWED_HOSTS.
django-defectdojo-uwsgi-1         | [pid: 15|app: -|req: -/-] 192.168.65.1 (-) {50 vars in 847 bytes} [Fri Jan 19 17:46:46 2024] GET /favicon.ico => generated 13233 bytes in 778 msecs (HTTP/1.1 200) 1 headers in 59 bytes (1 switches on core 0)

[sc-3996]

[dryrunsecurity]

Contextual Security Analysis

As DryRun Security performs checks, we’ll summarize them here. You can always dive into the detailed results in the section below for checks.

Status	DryRun Security Check
✅	AI-powered Sensitive Function Check
✅	Configured Sensitive Files Check
✅	AI-powered Sensitive Files Check

Chat with your AI-powered Security Buddy by typing @dryrunsecurity followed by your question into a comment.
Example: @dryrunsecurity What are common security issues with web application cookies?

Install and configure more repositories at DryRun Security

[mtesauro]

Approved