Skip to content

Release: Merge back 2.49.1 into dev from: master-into-dev/2.49.1-2.50.0-dev#12964

Merged
rossops merged 18 commits intodevfrom
master-into-dev/2.49.1-2.50.0-dev
Aug 11, 2025
Merged

Release: Merge back 2.49.1 into dev from: master-into-dev/2.49.1-2.50.0-dev#12964
rossops merged 18 commits intodevfrom
master-into-dev/2.49.1-2.50.0-dev

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Aug 11, 2025

Release triggered by rossops

DefectDojo release bot and others added 17 commits August 4, 2025 15:47
Update versions in application files
22e0b93
@rossops
Merge pull request #12912 from DefectDojo/master-into-bugfix/2.49.0-2…
284378d 
….50.0-dev

Release: Merge back 2.49.0 into bugfix from: master-into-bugfix/2.49.0-2.50.0-dev
@kiblik
Revert "Feat(nginx): Add support for IPv6" (#12916)
84d149e 
This reverts commit e9d9872.
@valentijnscholten
debug toolbar: downgrade to 5.2.0 (#12919)
64a118a
@Maffooch
Webhook Notifications: Support the owner field (#12940)
3816918 
* Webhook Notifications: Support the owner field

* Forgot the `engagement_added` event in docs

* Support the case where the owner is not supplied

* Adding tests

* Adding a new user to the test data had surprising consequences...
@Maffooch
Docs: Restore package-lock.json (#12954)
f50d5fe 
* Docs: Restore `package-lock.json`

* Update SEO params
@Maffooch
Display Tags: Do not rely on the request object being present (#12939)
6e38ffa
@valentijnscholten
new snyk_issue_api parser for code issues (file based) (#12903)
30b7e21 
* snyk_issue_api: support code items

* make fix_available backward compatible
@valentijnscholten
fix async stuff in perf test (#12901)
ce05b71
@valentijnscholten
restore entrypoint-unit-tests-devDocker.sh (#12904)
33f6e36
@kiblik
Enable ipv6 in nginx (if available) (#12938)
a2bb109 
* Revert "Feat(nginx): Add support for IPv6"

This reverts commit e9d9872.

* Feat(nginx): Add support for IPv6

* proper handling non-IPv6 hosts
@ThiagoCruzBr
ADD: Alternative command to change password (#12931)
0ca79ab 
Alternative command useful for automation.
@Maffooch
Documentation: Guide to testing hugo pipeline locally (#12959)
1980c52 
* Documentation: Guide to testing hugo pipeline locally

* Forgot I was on an a newer version of hugo
Update versions in application files
19c1fe1
@rossops
Merge branch 'master' into release/2.49.1
4c4b9c2
@rossops
Merge pull request #12962 from DefectDojo/release/2.49.1
2b63f9e 
Release: Merge release into master from: release/2.49.1
Update versions in application files
86f5d1f
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Aug 11, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request contains sensitive edits to multiple files including Python and shell script files, and also includes potential security risks such as a hardcoded weak password in Docker documentation and information disclosure in webhook payloads that expose user personal information.

🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in docker/entrypoint-nginx.sh
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/templatetags/display_tags.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/templatetags/navigation_tags.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Hardcoded Weak Password in Documentation in readme-docs/DOCKER.md
Vulnerability Hardcoded Weak Password in Documentation
Description The documentation for Docker Compose includes an example command to change the admin password that contains a hardcoded, weak password ('Password123!'). There is no prominent warning or instruction advising users to change this password to a strong, unique one, or to use a placeholder. This could lead to users deploying instances with a known, easily guessable admin password, making them vulnerable to unauthorized access.

django-DefectDojo/readme-docs/DOCKER.md

Lines 152 to 162 in e335e63

docker compose exec -it uwsgi ./manage.py changepassword admin
```
Alternatively, you can run the command below to change the admin password in a single command. Useful for automation.
```zsh
docker compose exec uwsgi ./manage.py shell -c 'from django.contrib.auth.models import User; u = User.objects.get(username="admin"); u.set_password("Password123!"); u.save()'
```
# Logging
For docker compose release mode the log level is INFO. In the other modes the log level is DEBUG. Logging is configured in `settings.dist.py` and can be tuned using a `local_settings.py`, see [template for local_settings.py](../dojo/settings/template-local_settings)). For example the deduplication logger can be set to DEBUG in a local_settings.py file:

Information Disclosure in Webhook Payload in dojo/templates/notifications/webhooks/subtemplates/user.tpl
Vulnerability Information Disclosure in Webhook Payload
Description The user.tpl template, which is included in various webhook notification payloads, explicitly exposes sensitive user information. This includes the user's ID, email address, username, first name, last name, and UI/API URLs. This data is transmitted in webhook events, creating a risk of information disclosure if the webhook endpoint is untrusted or the communication is intercepted. There is no apparent mechanism within the application's configuration to control or redact this PII from the webhook payloads.

django-DefectDojo/dojo/templates/notifications/webhooks/subtemplates/user.tpl

Lines 1 to 16 in e335e63

{% load display_tags %}
{% load as_json %}
{% if user %}
{% url 'view_user' user.id as user_url_ui %}
{% url 'user-detail' user.id as user_url_api %}
user:
id: {{ user.pk }}
email: {{ user.email | as_json_no_html_esc }}
username: {{ user.username | as_json_no_html_esc }}
first_name: {{ user.first_name | as_json_no_html_esc }}
last_name: {{ user.last_name | as_json_no_html_esc }}
url_ui: {{ user_url_ui | full_url | as_json_no_html_esc }}
url_api: {{ user_url_api | full_url | as_json_no_html_esc }}
{% else %}
user: {{ user | as_json_no_html_esc }}
{% endif %}

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@rossops rossops merged commit baddd97 into dev Aug 11, 2025
88 checks passed
@rossops rossops deleted the master-into-dev/2.49.1-2.50.0-dev branch August 11, 2025 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

docker docs helm parser ui unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rossops @kiblik @valentijnscholten @Maffooch @ThiagoCruzBr