Release: Merge release into master from: release/2.55.1#14248
Merged
Release: Merge release into master from: release/2.55.1#14248
Conversation
….56.0-dev Release: Merge back 2.55.0 into bugfix from: master-into-bugfix/2.55.0-2.56.0-dev
* update robots.txt for indexing * add audience content to algolia indexing * add cache refresh for release notes version
Bumps [django](https://github.com/django/django) from 5.2.9 to 5.2.11. - [Commits](django/django@5.2.9...5.2.11) --- updated-dependencies: - dependency-name: django dependency-version: 5.2.11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Set last reviewed date and reviewer for finding Update finding's last reviewed date and reviewer to maintain parity with UI behaviors * Apply suggestion from @Maffooch * Set last reviewed date and author for finding Update finding with last reviewed date and author. * Apply suggestions from code review * Apply suggestion from @Maffooch --------- Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
Hardened build_count_subquery to explicitly clear ordering and order by group_field before slicing. This prevents Django from adding implicit ORDER BY <pk> which causes GROUP BY to collapse counts to 1. Also updated prefetch_for_product_type to use the hardened helper instead of a local Subquery with the same vulnerability. Added unit tests to verify the fixes work correctly. Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com>
github-actions
bot
requested review from
Maffooch and
mtesauro
as code owners
🔴 Risk threshold exceeded.This pull request modifies dojo/jira_link/views.py and includes sensitive-path edits, introduces a potential server-side request forgery (SSRF) where an unvalidated, user-controlled issue_id is concatenated into a Jira URL and requested, and exposes webhook/IDOR weaknesses by relying on a global URL secret and allowing attacker-controlled Jira payloads to alter findings (including status, reviewer, and timestamps). These changes raise security concerns around SSRF, webhook integrity, and audit tampering and should be reviewed and mitigated (input validation, allowlisting, stronger authentication, and stricter access controls) before merging.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🟡 Potential Server-Side Request Forgery (SSRF) in dojo/jira_link/views.py
| Vulnerability | Potential Server-Side Request Forgery (SSRF) |
|---|---|
| Description | User-controlled value 'issue_key' (issue_id) from jform.cleaned_data is concatenated into an HTTP URL and passed directly to jira._session.get(key_url) with no validation, allowlist, or scheme/host/IP checks. The code builds key_url as jira_server.strip("/") + "/rest/api/latest/issue/" + issue_id + "/transitions?expand=transitions.fields" and issues an HTTP request; an attacker who can control issue_key could inject values that alter the request target (for example by including path traversal-like content or special encodings) leading to SSRF to unintended hosts. There is no DNS/IP resolution validation or redirect protection visible in the surrounding code. |
django-DefectDojo/dojo/jira_link/views.py
Lines 351 to 353 in 9778f34
Insecure Direct Object Reference (IDOR) / Webhook Integrity in dojo/jira_link/views.py
| Vulnerability | Insecure Direct Object Reference (IDOR) / Webhook Integrity |
|---|---|
| Description | The Jira webhook endpoint in dojo/jira_link/views.py lacks robust integrity checks and suffers from an IDOR vulnerability. It relies on a global shared secret passed in the URL, which is the only form of authentication. Once this secret is known (or if it is disabled via configuration), an attacker can spoof webhook requests. The handler extracts a Jira issue ID (jid) directly from the user-controlled JSON payload and uses it to locate and modify associated findings in DefectDojo. The code in this hunk specifically adds an update to the finding's last_reviewed and last_reviewed_by fields, allowing an attacker to manipulate audit trails. Furthermore, related logic in the webhook handler allows an attacker to change finding statuses (e.g., to Mitigated or Risk Accepted) and backdate mitigation timestamps. |
django-DefectDojo/dojo/jira_link/views.py
Lines 288 to 291 in 9778f34
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release triggered by
Maffooch