Release: Merge release into master from: release/2.52.2#13718
Merged
Release: Merge release into master from: release/2.52.2#13718
Conversation
….53.0-dev Release: Merge back 2.52.1 into bugfix from: master-into-bugfix/2.52.1-2.53.0-dev
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
* 💄 beautify drheader jsonfiles * add more json
* 🎉 Advance ibm app parser with fix_available * fix
* 🎉 Advance Dawnscanner with fix_available * update
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
Co-authored-by: Valentijn Scholten <valentijn.scholten@iodigital.com>
…ding, and Tests (#13696)
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
…or improved readability
feat(helm): Relocate docs/schema hints
Qualys parser add CVEs to Vulnerability Ids for xml files
github-actions
Bot
requested review from
Maffooch and
mtesauro
as code owners
github-actions
Bot
added
settings_changes
🔴 Risk threshold exceeded.This pull request modifies several files including dojo/finding/helper.py and dojo/finding/views.py and introduces notification-related changes in dojo/api_v2/views.py that may expose sensitive data: notification parent/section titles are constructed directly from Engagement.name, Finding.title, and Test.title without sanitization or truncation, risking information disclosure to external channels (Slack, MS Teams, Email, Webhooks). Sensitive file paths and allowed authors can be tuned via .dryrunsecurity.yaml but consider adding validation/sanitization, truncation, or configuration gating for notifications to mitigate the risk.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Information Disclosure in dojo/api_v2/views.py
| Vulnerability | Information Disclosure |
|---|---|
| Description | The process_tag_notifications function constructs a parent_title using the engagement name (f"Engagement: {engagement.name}") and passes it to create_notification. The create_notification function then dispatches this parent_title to various notification channels (Slack, MS Teams, Email, Webhooks) without any sanitization or truncation. The Engagement model's name field is a CharField with no specific restrictions preventing sensitive data. Therefore, if an engagement name contains sensitive information (e.g., client names, project details, internal system identifiers), this information could be disclosed to unauthorized parties or external systems via these notifications. |
django-DefectDojo/dojo/api_v2/views.py
Lines 540 to 543 in c1387b7
Information Disclosure in dojo/api_v2/views.py
| Vulnerability | Information Disclosure |
|---|---|
| Description | The finding.title is used to construct the parent_title argument for the process_tag_notifications function. This parent_title is then passed as the section argument to the create_notification function. The create_notification function renders notification messages using templates, and the section (containing the finding.title) is available to these templates. If external notification channels (Slack, MS Teams, Email, Webhooks) are enabled and their templates include the section variable, sensitive vulnerability details from the finding.title could be disclosed to unauthorized recipients or external systems. |
django-DefectDojo/dojo/api_v2/views.py
Lines 1107 to 1110 in c1387b7
Information Disclosure in dojo/api_v2/views.py
| Vulnerability | Information Disclosure |
|---|---|
| Description | The parent_title for notifications is constructed directly from test.title without any sanitization or truncation. This parent_title is then used in various notification channels (email, Slack, MSTeams, webhooks). If a user includes sensitive information in the test.title field, this information could be inadvertently disclosed to unintended recipients through these notifications. |
django-DefectDojo/dojo/api_v2/views.py
Lines 2165 to 2168 in c1387b7
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Maffooch
pushed a commit
to valentijnscholten/django-DefectDojo
that referenced
this pull request
Feb 16, 2026
Release: Merge release into master from: release/2.52.2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops