Fix Report generation issue (pic_token template tag)

[dogboat]

This patch fixes report generation by reverting changes made that stripped out kwargs needed for the pic_token template tag to work.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	9 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request are focused on enhancing the functionality of the report generation feature in the Django application. The key changes include the addition of user_id and host parameters to the FindingList and EndpointList widgets, as well as updates to the report_widget_factory() function to handle these new parameters.

From a security perspective, the inclusion of the user_id and host parameters in the report output could be considered a potential information disclosure issue, depending on the sensitivity of the information being reported. It's important to review the access controls and permissions to ensure that only authorized users can access this information.

Additionally, the report_widget_factory() function is responsible for creating and configuring the various report widgets based on the provided JSON data. It's crucial to ensure that the JSON data is properly validated and sanitized to prevent potential injection attacks, such as SQL injection or cross-site scripting (XSS) vulnerabilities.

In the dojo/reports/views.py file, the changes to the CustomReport view also introduce some security considerations. The view uses the user_is_authorized decorator to ensure that the user has the necessary permissions to access the report, and it sanitizes the user input by using the CustomReportJsonForm form. These are positive steps towards maintaining the security of the application.

Files Changed:

1. dojo/reports/widgets.py:

   • The FindingList and EndpointList widgets now accept additional parameters user_id and host, which are used in the get_html() and get_asciidoc() methods to include the user ID and host information in the generated report.
   • The report_widget_factory() function has been updated to handle the new user_id and host parameters when creating the FindingList and EndpointList widgets.

2. dojo/reports/views.py:

   • The CustomReport view is responsible for generating custom reports based on user input, including the option to include finding notes and images.
   • The view uses the report_widget_factory function to create the widgets that will be included in the report, and it populates the context data for the report template.
   • The view includes security measures, such as the user_is_authorized decorator and the use of the CustomReportJsonForm form to validate and sanitize the user input.

Powered by DryRun Security

[dogboat]

[sc-5897]