Skip to content

[docs] Add Apollo script#13734

Merged
Maffooch merged 2 commits intoDefectDojo:bugfixfrom
paulOsinski:docs-apollo
Nov 20, 2025
Merged

[docs] Add Apollo script#13734
Maffooch merged 2 commits intoDefectDojo:bugfixfrom
paulOsinski:docs-apollo

Conversation

@paulOsinski
Copy link
Copy Markdown
Contributor

@paulOsinski paulOsinski commented Nov 18, 2025

Adds Apollo JS to documentation (used by DD Inc)

@github-actions github-actions Bot added the docs label Nov 18, 2025
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Nov 18, 2025
edited
Loading

DryRun Security

This pull request adds external JavaScript loads from static.reo.dev and assets.apollo.io in docs/layouts/_partials/head/script-header.html without Subresource Integrity (SRI) protection, creating a supply-chain risk where a compromise of those providers could lead to XSS or data theft (made worse by a dynamic nocache parameter that prevents a stable SRI hash). Consider adding SRI hashes where possible, avoiding dynamic cache-busting parameters for third‑party scripts, or self‑hosting/mitigating the dependency to reduce the risk.

Third-Party Script Inclusion / Supply Chain Risk in docs/layouts/_partials/head/script-header.html
Vulnerability Third-Party Script Inclusion / Supply Chain Risk
Description The code loads JavaScript from two external domains (static.reo.dev and assets.apollo.io) without Subresource Integrity (SRI) checks. This creates a supply chain risk. If either of these third-party services is compromised, malicious JavaScript could be executed on this site, leading to attacks like Cross-Site Scripting (XSS) or data theft. The dynamic nocache parameter for the Apollo script further complicates the use of static SRI hashes.

django-DefectDojo/docs/layouts/_partials/head/script-header.html

Lines 1 to 12 in 73492b8

<!-- Insert scripts NOT needed by stylesheets here -->
<!-- Start of Reo Javascript -->
<script type="text/javascript">
!function () { var e, t, n; e = "a92cfcfa51eca96", t = function () { Reo.init({ clientID: "a92cfcfa51eca96" }) }, (n = document.createElement("script")).src = "https://static.reo.dev/" + e + "/reo.js", n.async = !0, n.onload = t, document.head.appendChild(n) }();
</script>
<!-- End of Reo Javascript -->
<script>function initApollo() {
var n = Math.random().toString(36).substring(7), o = document.createElement("script");
o.src = "https://assets.apollo.io/micro/website-tracker/tracker.iife.js?nocache=" + n, o.async = !0, o.defer = !0,
o.onload = function () { window.trackingFunctions.onLoad({ appId: "68ffca00b8c4dc001de5fec3" }) },
document.head.appendChild(o)
} initApollo();</script>

All finding details can be found in the DryRun Security Dashboard.

mtesauro
mtesauro approved these changes Nov 18, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten added this to the 2.52.3 milestone Nov 19, 2025
@Maffooch Maffooch merged commit a85bbba into DefectDojo:bugfix Nov 20, 2025
151 checks passed
Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@paulOsinski
add apollo script (DefectDojo#13734)
61c8eac 
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

Assignees

No one assigned

Labels

docs

Projects

None yet

Milestone

2.52.3

Development

Successfully merging this pull request may close these issues.

5 participants

@paulOsinski @mtesauro @valentijnscholten @Maffooch @Jino-T