Skip to content

Add CVSS4 support #12751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
valentijnscholten merged 29 commits into from
Jul 15, 2025

Update dojo/models.py

31aca16
Select commit
Loading
Failed to load commit list.
Merged

Add CVSS4 support #12751

Update dojo/models.py
31aca16
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Cross-Site Scripting Analyzer succeeded Jul 15, 2025 in 1s

DryRun Security

Details

Cross-Site Scripting Analyzer Findings: 2 detected

⚠️ Potential Cross-Site Scripting dojo/forms.py (click for details)
Type Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS in the BulletListDisplayWidget's render method. Although mark_safe() is used, which typically helps prevent XSS, the method directly constructs HTML using an f-string with user-controlled input (self.urls_dict). If the urls_dict contains untrusted data, an attacker could potentially inject malicious scripts via the URL or text values. While mark_safe() prevents automatic escaping, it does not sanitize the input itself. Care must be taken to ensure that self.urls_dict only contains trusted data before rendering.
Filename dojo/forms.py
CodeLink

django-DefectDojo/dojo/forms.py

Lines 140 to 161 in 31aca16

EFFORT_FOR_FIXING_INVALID_CHOICE = _("Select valid choice: Low,Medium,High")
class BulletListDisplayWidget(forms.Widget):
def __init__(self, urls_dict=None, *args, **kwargs):
self.urls_dict = urls_dict or {}
super().__init__(*args, **kwargs)
def render(self, name, value, attrs=None, renderer=None):
if not self.urls_dict:
return ""
html = '<ul style="margin: 0; padding-left: 20px;">'
for url, text in self.urls_dict.items():
html += f'<li style="list-style-type: disc;"><a href="{url}" target="_blank"><i class="fa fa-arrow-up-right-from-square" style="margin-right: 5px;"></i>{text}</a></li>'
html += "</ul>"
return mark_safe(html)
class MultipleSelectWithPop(forms.SelectMultiple):
def render(self, name, *args, **kwargs):
html = super().render(name, *args, **kwargs)
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/view_finding.html (click for details)
Type Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS because it directly renders variables (firstID, currentID, lastID) into JavaScript without proper sanitization. These variables are being inserted directly into the script context using Django's template syntax, which could allow an attacker to inject arbitrary JavaScript if the values are not strictly controlled. The lack of explicit escaping or sanitization means that if these variables contain user-controlled input, a malicious script could be executed in the browser.
Filename dojo/templates/dojo/view_finding.html
CodeLink

django-DefectDojo/dojo/templates/dojo/view_finding.html

Lines 1169 to 1177 in 31aca16

<script type="application/javascript" src="{% static "jquery.hotkeys/jquery.hotkeys.js" %}"></script>
<script type="text/javascript" src="{% static "jquery-highlight/jquery.highlight.js" %}"></script>
<script type="text/javascript">
var firstID = {% if findings_list.0 %}{{findings_list.0}}{% else %}null{% endif %};
var currentID = {% if finding.id %}{{finding.id}}{% else %}null{% endif %};
var lastID = {% if findings_list_lastElement %}{{findings_list_lastElement}}{% else %}null{% endif %};
if(currentID != firstID)
{
$('.PrevAndNext_Buttons').append('<a href="{% url 'view_finding' prev_finding_id %}" class="btn btn-primary">Previous Finding</a> ');
View more details on DryRunSecurity