Skip to content

Fix product.html column sizing with autoWidth: false. Same as here https://github.com/DefectDojo/django-DefectDojo/pull/13835 #13868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
testaccount90009 wants to merge 8 commits into from

Merge branch 'bugfix' into dev

3fbb770
Select commit
Loading
Failed to load commit list.
Closed

Fix product.html column sizing with autoWidth: false. Same as here https://github.com/DefectDojo/django-DefectDojo/pull/13835 #13868

Merge branch 'bugfix' into dev
3fbb770
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Dec 12, 2025 in 1m 39s

DryRun Security

Details

General Security Analyzer Findings: 2 detected

⚠️ Untrusted Input in GitHub Actions Workflow .github/workflows/release-x-manual-docker-containers.yml (click for details)
Type Untrusted Input in GitHub Actions Workflow
Description The GitHub Actions workflow '.github/workflows/release-x-manual-docker-containers.yml' uses the release_number input directly as the ref for the actions/checkout step without any validation. An attacker with write access to the repository can trigger this workflow_dispatch event and provide an arbitrary Git reference (e.g., a malicious branch, tag, or commit hash) to the release_number input. This allows the attacker to execute arbitrary code in the context of the workflow runner, which has access to sensitive secrets like DOCKERHUB_TOKEN and DOCKERHUB_USERNAME.
Filename .github/workflows/release-x-manual-docker-containers.yml
CodeLink

django-DefectDojo/.github/workflows/release-x-manual-docker-containers.yml

Lines 63 to 64 in 3fbb770

ref: ${{ inputs.release_number }}
⚠️ Information Disclosure of Scan Types dojo/finding/views.py (click for details)
Type Information Disclosure of Scan Types
Description The get_visible_scan_types() function, used in the ListFindings view, retrieves all active Test_Type objects without performing any authorization checks. While the ListFindings view itself has authorization checks (Permissions.Product_View or Permissions.Engagement_View), the get_visible_scan_types() function does not filter the scan types based on the user's permissions. This means any authenticated user with access to a product or engagement can view a list of all active scan types configured in the system, regardless of whether they have specific permissions to create or manage those scan types. This could reveal internal security tooling and capabilities to unauthorized users.
Filename dojo/finding/views.py
CodeLink

django-DefectDojo/dojo/finding/views.py

Lines 306 to 309 in 3fbb770

"visible_test_types": get_visible_scan_types(),
}
# Look to see if the product was used
if product_id := self.get_product_id():
View more details on DryRunSecurity