Release: Merge back 2.57.2 into dev from: master-into-dev/2.57.2-2.58.0-dev#14712
Merged
Release: Merge back 2.57.2 into dev from: master-into-dev/2.57.2-2.58.0-dev#14712
Conversation
….58.0-dev Release: Merge back 2.57.1 into bugfix from: master-into-bugfix/2.57.1-2.58.0-dev
Bumps [pillow](https://github.com/python-pillow/Pillow) from 12.1.1 to 12.2.0. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.1...12.2.0) --- updated-dependencies: - dependency-name: pillow dependency-version: 12.2.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…er (#14631) * added ssrf utils to check urls and applied it to risk recon parser * update risk recon unit tests * add unit tests for SSRF protection in risk recon API init Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * add unit tests for utils_ssrf module Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Fix accept_risks API endpoints to use RBAC instead of IsAdminUser Replace DRF's IsAdminUser permission with DefectDojo's RBAC system on all accept_risks endpoints. IsAdminUser only checked is_staff, bypassing role-based access control entirely. - Use UserHasRiskAcceptanceRelatedObjectPermission for detail endpoints (engagement/test accept_risks) to enforce Permissions.Risk_Acceptance - Change mass endpoint to query engagements with Risk_Acceptance permission instead of Engagement_View - Enforce product-level enable_full_risk_acceptance setting on all accept_risks endpoints - Add 9 RBAC unit tests covering writer/reader roles and the enable_full_risk_acceptance product setting Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix ruff lint: add blank line before class docstring Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* change to reactivating risk accepted findinggs * Fix remove_finding BFLA and add test coverage (PR #14633) Gate the remove_finding POST branch on edit_mode so only the edit URL (requiring Risk_Acceptance permission) can process finding removals. Scope the finding lookup to risk_acceptance.accepted_findings to prevent cross-product blind enumeration via sequential IDs. Add 6 security tests covering: edit_mode guard, scoped lookup, cross-product IDOR, decorator enforcement, and positive regression. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* change-to-moving-engagements * fix-migration-issue: * Revert PR #14634 changes (editable=False approach) Reverting the approach of making Engagement.product editable=False and splitting serializers. Will replace with proper permission checks on the destination product when moving engagements. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add permission check on destination product when moving engagements When a user changes an engagement's product (via API PUT/PATCH or the UI edit form), verify they have Engagement_Edit permission on the destination product. Previously only the source product was checked, allowing users to move engagements to products they lack write access to. - API: EngagementSerializer.validate() checks destination product permission on update, following the ProductMemberSerializer pattern - UI: edit_engagement() view checks destination product permission before saving - Tests: 8 new tests covering PATCH, PUT, and UI paths for both authorized and unauthorized product moves Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix UI test: form queryset already rejects unauthorized products The EngForm product queryset is filtered to authorized products, so submitting an unauthorized product fails form validation (200) before the view-level permission check runs. Update the test to accept both 200 and 403 -- the key assertion is that the engagement does not move. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix ruff lint: docstring formatting Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Documents a repeatable 10-phase process for reorganizing domain modules (finding, test, engagement, product, product_type) to match the dojo/url/ reference pattern. Includes service-layer extraction guidance to support the long-term goal of removing the classic UI and going fully API-based. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove unnecessary template filter from auditor and mitigated_by fields in the endpoints snippet to align with standard Django template rendering conventions. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…mport/reimport (#14636) * Fix reimport-scan API authorization bypass via conflicting identifiers Validate that ID-resolved objects (test, engagement) are consistent with name-based identifiers (product_name, engagement_name) in both the permission check layer and the AutoCreateContextManager resolution layer. This prevents an attacker from passing their own engagement/test ID to satisfy the permission check while using name-based fields to target a victim's product. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Use ID-based comparisons and add engagement_name check to import - Switch permission checks to use ID comparisons (product_id, engagement_id) where resolved objects are available, with name fallback for unresolved cases - Add engagement_name validation to UserHasImportPermission (was missing) - Fix ruff string quoting in auto_create_context.py Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Strip undeclared engagement field in reimport permission check The engagement field is not declared on ReImportScanSerializer and gets stripped during validation. The permission check must also strip it so it resolves targets the same way execution does — by name, not by a stale engagement ID from request.data. Update test to verify the engagement param is ignored and permission is checked against the name-resolved target. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix information disclosure in conflict validation error messages Replace error messages that leaked resolved object names (product names, engagement names) with generic messages. An attacker could enumerate object names by sending conflicting ID-based and name-based identifiers and reading the detailed error responses. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com>
…o-DefectDojo into report-css-fix
🎉 add mozilla foundation sec advice to vulnid
…laybook docs: add CLAUDE.md with module reorganization playbook
fix css overflow issue - reports
* Add OSS subscriber for Open Source Messaging banner Fetches a markdown message from the DaaS-published GCS bucket, renders the bleached headline and optional expanded section through the existing additional_banners template loop. Cached for 1h; any fetch/parse failure silently yields no banner. No Django settings introduced — disabling the banner requires forking. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Enable nl2br in expanded markdown and fold module into dojo.announcement Single newlines in the expanded body now render as <br>, so authored markdown lays out multi-line. Module folded into the existing dojo/announcement/ app and test patch paths updated. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use <button> for banner toggle and clean focus styling Anchor-based toggle picked up Bootstrap alert link styles and a lingering focus outline after click, which showed as a stray glyph next to the caret. A plain <button type="button"> avoids link decoration entirely; focus outline and transition are also dropped so the caret flips instantly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Replace DD_CLOUD_BANNER with centralized additional_banners system Migrate all promotional messaging to the additional_banners context processor pattern. Product announcements now store banners in the session for rendering via the unified template loop. Each banner carries a source field (os, product_announcement) so downstream repos can filter by origin. - Remove DD_CREATE_CLOUD_BANNER setting and env var entirely - Repurpose ProductAnnouncementManager to use session-based banners - Remove evaluate_pro_proposition celery task and beat schedule - Remove create_announcement_banner from initialization command - Simplify announcement signal to remove cloud-specific logic - Add SHOW_PLG_LINK context variable for PLG menu item control - Rename os-banner-* CSS classes to generic banner-* classes - Add data-source attribute to banner template markup - Switch OS message bucket URL from dev to prod - Add 52 tests covering context processor and product announcements Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Remove unused import and add docstring to TestBannerDictSchema * Fix ruff FURB189: use UserDict instead of dict subclass Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Release: Merge release into master from: release/2.57.2
|
This pull request modifies many sensitive template and backend files (multiple dojo templates, templatetags, context processors, API/permissions/serializers, importers, and tasks) triggering configured-codepaths alerts, and introduces numerous instances where a custom markdown_render filter or the safe filter outputs HTML into templates, raising multiple high/critical potential Cross-Site Scripting (XSS) findings that require verifying/sanitizing the renderer and trusted sources (or updating .dryrunsecurity.yaml to allow these changes).
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/report_base.html (drs_07488137)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templatetags/display_tags.py (drs_0f1cbd51)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_type_pdf_report.html (drs_c2bd7bc2)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/test_pdf_report.html (drs_1adac117)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_endpoint_pdf_report.html (drs_9bf04591)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_pdf_report.html (drs_a0b92cf2)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/context_processors.py (drs_bb00b3c8)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/engagement/views.py (drs_1ae25cad)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/auto_create_context.py (drs_f69d80a2)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/engagement_pdf_report.html (drs_0b9461fe)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/finding_pdf_report.html (drs_4bba7bf4)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_endpoint_pdf_report.html (drs_8419a7f4)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_pdf_report.html (drs_96fbd951)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_type_pdf_report.html (drs_fc6a507f)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/test_pdf_report.html (drs_3fcea6e0)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/report_base.html (drs_b221b222)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/announcement/os_message.py (drs_894d87d0)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/announcement/signals.py (drs_c35bc322)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/permissions.py (drs_1b53aff4)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py (drs_3462414a)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_endpoint_pdf_report.html (drs_62126547)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_pdf_report.html (drs_ac7aa781)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/risk_acceptance/api.py (drs_c791cf6c)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/engagement/views.py (drs_30062496)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py (drs_95f69632)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/engagement/views.py (drs_fe475fa1)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/permissions.py (drs_9add9c87)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/auto_create_context.py (drs_48ded0e4)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templatetags/display_tags.py (drs_72f3a588)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/permissions.py (drs_70c2eb97)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py (drs_7c55789f)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/engagement/views.py (drs_ac7776dc)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/auto_create_context.py (drs_ac204e6d)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/risk_acceptance/api.py (drs_2162a427)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/snippets/endpoints.html (drs_a8f431e6)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templatetags/display_tags.py (drs_7ae5c2f4)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/endpoint_pdf_report.html (drs_6150295f)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/engagement_pdf_report.html (drs_f5cef475)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/finding_pdf_report.html (drs_14a8d6fa)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/risk_acceptance/api.py (drs_03281958)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/tasks.py (drs_08032020)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/base.html (drs_238044b6)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/endpoint_pdf_report.html (drs_1c4fe8ec)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/engagement_pdf_report.html (drs_72cc5752)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/finding_pdf_report.html (drs_aa7dfeaa)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_type_pdf_report.html (drs_2686b42f)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/snippets/endpoints.html (drs_45c02244)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/test_pdf_report.html (drs_45b564d4)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/report_base.html (drs_a0da58ae)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templatetags/display_tags.py (drs_483d4bac)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/test_pdf_report.html (drs_d2181462)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The templates render user-controllable model fields through a custom 'markdown_render' filter which may emit raw HTML. If that filter returns unsanitized HTML (i.e. the filter marks output safe or allows raw HTML), Django auto-escaping is bypassed and XSS is possible. |
django-DefectDojo/dojo/templates/dojo/test_pdf_report.html
Lines 332 to 335 in e507378
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/engagement_pdf_report.html (drs_56e00397)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates use a custom filter markdown_render to render Finding fields into HTML. If that filter outputs unsafe HTML, user-controlled data could reach the page without proper escaping, causing XSS. |
django-DefectDojo/dojo/templates/dojo/engagement_pdf_report.html
Lines 313 to 327 in e507378
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/finding_pdf_report.html (drs_2d92ce52)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates render multiple finding fields using a custom template filter markdown_render. If that filter returns HTML that is not properly escaped/sanitized (or is marked safe after unsafe rendering), user-controlled content could reach the page as raw HTML and enable XSS. The PR shows many fields switched to use this filter in HTML contexts and also adds banner.messagesafe elsewhere, increasing places where HTML may be rendered unsafely. |
django-DefectDojo/dojo/templates/dojo/finding_pdf_report.html
Lines 164 to 167 in e507378
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/endpoint_pdf_report.html (drs_0323ca3a)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The templates render user-controlled finding text through a custom template filter markdown_render which converts Markdown to HTML and returns mark_safe. If markdown_render does not reliably remove or neutralize unsafe HTML, this can allow attacker-supplied HTML/JS to be emitted unescaped to pages (XSS). |
django-DefectDojo/dojo/templates/dojo/endpoint_pdf_report.html
Lines 203 to 224 in e507378
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/product_endpoint_pdf_report.html (drs_3331e854)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates were changed to render various finding text fields using a custom template filter 'markdown_render' and the rendered HTML is output into templates using plain variable substitution (no additional escaping in templates). If markdown_render returns unsanitized HTML (or marks it safe), user-controlled content could reach the rendered page as raw HTML, enabling XSS. |
django-DefectDojo/dojo/templates/dojo/product_endpoint_pdf_report.html
Lines 234 to 237 in e507378
🟠 Potential Cross-Site Scripting in dojo/templates/base.html (drs_2ee06d4b)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The template uses the Django safe filter to render banner.message and banner.expanded_html, which disables auto-escaping. We must verify whether those values originate from trusted, properly sanitized sources. If untrusted user input can reach these fields unsanitized, XSS is possible. |
django-DefectDojo/dojo/templates/base.html
Lines 673 to 690 in e507378
🟠 Potential Cross-Site Scripting in dojo/context_processors.py (drs_8bbce52e)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Banner content from two sources is injected into template context and rendered with the safe filter in templates: (1) OS banner produced by get_os_banner() and (2) product banners stored to request.session. get_os_banner() fetches markdown, renders it to HTML via markdown.markdown(), and then uses bleach.clean() with explicit tag/attribute allowlists — the headline uses INLINE_TAGS/INLINE_ATTRS and the expanded body uses BLOCK_TAGS/BLOCK_ATTRS. Session-stored product banners are appended directly into context without additional sanitization. The template uses the safe filter ({{ banner.messagesafe }} and {{ banner.expanded_htmlsafe }}) when rendering banners, which disables Django auto-escaping. If session-sourced banners can contain attacker-controlled HTML, they will be rendered unsanitized, causing XSS. |
django-DefectDojo/dojo/context_processors.py
Lines 36 to 67 in e507378
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/finding_pdf_report.html (drs_d58ffe28)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates were changed to render multiple finding fields using a custom template filter 'markdown_render' which outputs HTML into the template without additional escaping (the output is placed directly in the template context and not post-processed). A custom renderer that returns HTML can introduce XSS if it does not sanitize untrusted input. |
django-DefectDojo/dojo/templates/dojo/finding_pdf_report.html
Lines 182 to 203 in e507378
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/endpoint_pdf_report.html (drs_078abd64)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates render user-controlled finding fields through a custom template filter markdown_render which returns mark_safe(bleach.clean(...)). If markdown_render does not properly sanitize or still allows unsafe HTML, this could enable XSS. |
django-DefectDojo/dojo/templates/dojo/endpoint_pdf_report.html
Lines 185 to 188 in e507378
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/test_pdf_report.html (drs_9d255940)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The change renders various finding text fields in PDF/HTML templates using a custom template filter markdown_render. If that filter returns raw HTML (i.e. converts Markdown to HTML) and that HTML is inserted into templates without sanitization, attacker-controlled markdown could result in XSS. The patch does not show the implementation of markdown_render or any sanitization step before rendering these fields; it merely wraps the filter output in a div and does not use Django's safe/sanitization features here, so a direct path exists from stored finding text to rendered HTML. |
django-DefectDojo/dojo/templates/dojo/test_pdf_report.html
Lines 353 to 356 in e507378
We've notified @mtesauro.
Comment to provide feedback on these findings.
Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]
Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing
All finding details can be found in the DryRun Security Dashboard.
Contributor
Author
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Contributor
Author
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
github-actions
Bot
added
settings_changes
Contributor
Author
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops