DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.69k stars 1.55k forks source link

Limit on report size that can be imported #2346

Closed madchap closed 4 years ago

madchap commented 4 years ago

Is your feature request related to a problem? Please describe Right now, anyone can import any size a report, which can lead to a DoS -- as I can experiment now. For example, git repositories scans can generate a ton of findings (esp. if you don't pay the right attention to false-positives). In my case, well over 100K across all branch caused a DoS on my instance.

We should have an upper limit to mitigate DoS.

Describe the solution you'd like The idea is to limit -- both at UI and API levels -- the size of the report that can be uploaded. It could be number of rows or file size.

valentijnscholten commented 4 years ago

isn't there a limit by default? we get questions about how to raise the limit on a weekly basis in the clack channel. Or is that only for the standalone / setup.bash installs?

madchap commented 4 years ago

Maybe through the UI, but not the API somehow.

madchap commented 4 years ago

https://github.com/DefectDojo/django-DefectDojo/blob/dev/nginx/nginx.conf#L14

800m.. we're asking to be DoS'ed it seems.

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Maffooch commented 4 years ago

Seems to be fixed