Skip to content

Release: Merge release into master from: release/2.52.2 #13718

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rossops merged 27 commits into from
Nov 17, 2025

Update versions in application files

c1387b7
Select commit
Loading
Failed to load commit list.
Merged

Release: Merge release into master from: release/2.52.2 #13718

Update versions in application files
c1387b7
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Nov 17, 2025 in 1m 46s

DryRun Security

Details

General Security Analyzer Findings: 3 detected

⚠️ Information Disclosure dojo/api_v2/views.py (click for details)
Type Information Disclosure
Description The process_tag_notifications function constructs a parent_title using the engagement name (f"Engagement: {engagement.name}") and passes it to create_notification. The create_notification function then dispatches this parent_title to various notification channels (Slack, MS Teams, Email, Webhooks) without any sanitization or truncation. The Engagement model's name field is a CharField with no specific restrictions preventing sensitive data. Therefore, if an engagement name contains sensitive information (e.g., client names, project details, internal system identifiers), this information could be disclosed to unauthorized parties or external systems via these notifications.
Filename dojo/api_v2/views.py
CodeLink

django-DefectDojo/dojo/api_v2/views.py

Lines 540 to 543 in c1387b7

parent_title=f"Engagement: {engagement.name}",
)
serialized_note = serializers.NoteSerializer(
⚠️ Information Disclosure dojo/api_v2/views.py (click for details)
Type Information Disclosure
Description The finding.title is used to construct the parent_title argument for the process_tag_notifications function. This parent_title is then passed as the section argument to the create_notification function. The create_notification function renders notification messages using templates, and the section (containing the finding.title) is available to these templates. If external notification channels (Slack, MS Teams, Email, Webhooks) are enabled and their templates include the section variable, sensitive vulnerability details from the finding.title could be disclosed to unauthorized recipients or external systems.
Filename dojo/api_v2/views.py
CodeLink

django-DefectDojo/dojo/api_v2/views.py

Lines 1107 to 1110 in c1387b7

parent_title=f"Finding: {finding.title}",
)
if finding.has_jira_issue:
⚠️ Information Disclosure dojo/api_v2/views.py (click for details)
Type Information Disclosure
Description The parent_title for notifications is constructed directly from test.title without any sanitization or truncation. This parent_title is then used in various notification channels (email, Slack, MSTeams, webhooks). If a user includes sensitive information in the test.title field, this information could be inadvertently disclosed to unintended recipients through these notifications.
Filename dojo/api_v2/views.py
CodeLink

django-DefectDojo/dojo/api_v2/views.py

Lines 2165 to 2168 in c1387b7

parent_title=f"Test: {test.title}",
)
serialized_note = serializers.NoteSerializer(
View more details on DryRunSecurity