feat: add Remove from Finding bulk action on View Finding page

[valentijnscholten]

Summary

While working on #14660 I noticed the "delete" icon was missing from the endpoint bulk edit menu on the View Finding page.

• Add a Remove from Finding trash button next to the Bulk Edit dropdown on the View Finding page, allowing users to disassociate selected endpoints from a finding without deleting the endpoint objects themselves
• Non-V3 path (endpoint_status_bulk_update): when remove_from_finding is posted, delete the matching Endpoint_Status records for the selected endpoints
• V3/Locations path (finding_location_bulk_update): when remove_from_finding is posted, delete the matching LocationFindingReference records
• Both views already require Finding_Edit permission via @user_is_authorized; no additional permission check is needed
• The JS appends selected endpoint IDs and the remove_from_finding flag to the existing bulk_change_form before submitting, reusing the same form and URL as the bulk status update
• Add unit tests covering single removal, partial removal, multi-endpoint removal, Endpoint_Status cleanup, no-op without the flag, and redirect behaviour

[dryrunsecurity]

🟡 Please give this pull request extra attention during review.

This pull request introduces DOM-based XSS risk by concatenating checkbox element IDs directly into HTML strings used to create hidden inputs (e.g., $('')), allowing an attacker who can control an element id to inject arbitrary HTML/JS. The id is not escaped or validated and the code relies on HTML parsing rather than safe DOM methods, so it should be changed to use proper escaping or create inputs with safe DOM APIs.

🟡 Potential Cross-Site Scripting in dojo/templates/dojo/view_finding.html (drs_5106af06)

Vulnerability

Potential Cross-Site Scripting

Description

The JavaScript concatenates checkbox element IDs directly into HTML strings used to create hidden input elements: $(''). If an attacker can control an element's id, they can inject characters that break out of the attribute context and add arbitrary HTML/JS, leading to DOM-based XSS. The code does not escape or otherwise validate the id before concatenation and uses innerHTML-like construction via jQuery HTML parser instead of safe DOM methods.

django-DefectDojo/dojo/templates/dojo/view_finding.html

Lines 1480 to 1483 in e95e41a

	var hidden_input = $('<input type="hidden" value="' + this.id + '" name="endpoints_to_update">');
	$('form#bulk_change_form').append(hidden_input);
	});
	$('form#bulk_change_form').append($('<input type="hidden" name="remove_from_finding" value="1">'));

---

Comment to provide feedback on these findings.

Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]

Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing

All finding details can be found in the DryRun Security Dashboard.

[dogboat]

Handy! This works, I just had some questions about the way the UI renders. Could be just my system tho.

[dogboat]

This is what it looks like to me, on both Chrome and Firefox (MacOS):

...which is weird, because you posted a screenshot that looks fantastic. Is it just me?

[dogboat]

Any chance we could have the click handler be on the entire button and not just the anchor? As it is now, I have to click the anchor content, which is a bit smaller than the button itself. When I was testing I hit the button but not the icon, which didn't trigger the action.

[valentijnscholten]

The screenshot is old and now I have an even newer one where the trash button looks the same as in other places, red on a grey background. Click handler adjusted, can't believe I didn't do that myself as I hate buttons not being clickable.

From another place in dojo the trash icon:

[dogboat]

Cool, thank you!

[mtesauro]

Approved

[mtesauro]

Closing and re-opening to kick the tests again