Browser tab crash on deleting many alerts

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.

https://defectdojo.com

BSD 3-Clause "New" or "Revised" License

3.6k stars 1.51k forks source link

Browser tab crash on deleting many alerts #10532

Closed coheigea closed 1 month ago

coheigea commented 2 months ago

I've ended up in a situation where DefectDojo has a huge number of alerts (~600k) that weren't cleared over a long time with much refactoring. There is no way to delete the alerts as the browser tab crashed trying to load all the alerts /delete_alerts

I did not find an API to delete the alerts. Is there a way to do this in the UI that I've missed (or a REST API)?

coheigea commented 2 months ago

FAO @mtesauro

manuel-sommer commented 2 months ago

Hi @coheigea,

did you look at the settings? Maybe these help:

DD_ALERT_REFRESH
DD_ASYNC_OBJECT_DELETE

https://documentation.defectdojo.com/usage/performance/

coheigea commented 2 months ago

@manuel-sommer I suspect these won't help, the problem is the huge volume of data that appears when I try to delete the alerts

mtesauro commented 2 months ago

@coheigea There's a couple of options:

(1) Set DD_DELETE_PREVIEW to false in settings/local_settings.py or pass in as ENV variable. This keeps the "here's what's going to be deleted" list from being generated and can help when deleting a large number of objects in the UI/browser.

(2) If you're careful and know Python/Django & DefectDojo Internals, there's manage.py shell which gives you direct access to the objects in Django/DefectDojo. However, it's definitely a power tool so it can help in situations like this one but it can also cut off fingers aka you can break your DefectDojo install if you do the wrong thing.

HTH

coheigea commented 1 month ago

@mtesauro Thanks for your response. I did set DD_DELETE_PREVIEW to false, but it's not taken into account for alerts. IMO this is probably a bug to fix?

I was able to workaround the issue by reading the code: https://github.com/DefectDojo/django-DefectDojo/blob/b6d6e61f58f17572f5e1e54d7caa40900f5f0725/dojo/user/views.py#L194

def delete_alerts(request):
    alerts = Alerts.objects.filter(user_id=request.user)

    if request.method == 'POST':
        alerts.filter().delete()
        messages.add_message(
            request,
            messages.SUCCESS,
            _('Alerts removed.'),
            extra_tags='alert-success')
        return HttpResponseRedirect('alerts')

    return render(request,
                    'dojo/delete_alerts.html',
                    {'alerts': alerts})

I used an intercepting proxy to change the deletion from GET to POST to avoid printing out the alerts in the form and it did the trick.

mtesauro commented 1 month ago

@coheigea Yeah, that looks like a bug to me - seems like that got missed when the rest of the delete previews were made optional.

:+1: On your sneaky fix/workaround.

Give us some time and we'll see about a PR to remove that Alert preview.

manuel-sommer commented 1 month ago

I guess this can be closed @mtesauro

coheigea commented 1 month ago

Thanks for the fix @Maffooch , I just updated and was able to delete the alerts in the UI