….58.0-dev

Release: Merge back 2.57.1 into bugfix from: master-into-bugfix/2.57.1-2.58.0-dev

Bumps [pillow](https://github.com/python-pillow/Pillow) from 12.1.1 to 12.2.0.
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@12.1.1...12.2.0)

---
updated-dependencies:
- dependency-name: pillow
  dependency-version: 12.2.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…er (#14631)

* added ssrf utils to check urls and applied it to risk recon parser

* update risk recon unit tests

* add unit tests for SSRF protection in risk recon API init

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* add unit tests for utils_ssrf module

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix accept_risks API endpoints to use RBAC instead of IsAdminUser

Replace DRF's IsAdminUser permission with DefectDojo's RBAC system
on all accept_risks endpoints. IsAdminUser only checked is_staff,
bypassing role-based access control entirely.

- Use UserHasRiskAcceptanceRelatedObjectPermission for detail endpoints
  (engagement/test accept_risks) to enforce Permissions.Risk_Acceptance
- Change mass endpoint to query engagements with Risk_Acceptance
  permission instead of Engagement_View
- Enforce product-level enable_full_risk_acceptance setting on all
  accept_risks endpoints
- Add 9 RBAC unit tests covering writer/reader roles and the
  enable_full_risk_acceptance product setting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix ruff lint: add blank line before class docstring

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* change to reactivating risk accepted findinggs

* Fix remove_finding BFLA and add test coverage (PR #14633)

Gate the remove_finding POST branch on edit_mode so only the edit URL
(requiring Risk_Acceptance permission) can process finding removals.
Scope the finding lookup to risk_acceptance.accepted_findings to prevent
cross-product blind enumeration via sequential IDs.

Add 6 security tests covering: edit_mode guard, scoped lookup, cross-product
IDOR, decorator enforcement, and positive regression.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* change-to-moving-engagements

* fix-migration-issue:

* Revert PR #14634 changes (editable=False approach)

Reverting the approach of making Engagement.product editable=False
and splitting serializers. Will replace with proper permission checks
on the destination product when moving engagements.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add permission check on destination product when moving engagements

When a user changes an engagement's product (via API PUT/PATCH or
the UI edit form), verify they have Engagement_Edit permission on
the destination product. Previously only the source product was
checked, allowing users to move engagements to products they lack
write access to.

- API: EngagementSerializer.validate() checks destination product
  permission on update, following the ProductMemberSerializer pattern
- UI: edit_engagement() view checks destination product permission
  before saving
- Tests: 8 new tests covering PATCH, PUT, and UI paths for both
  authorized and unauthorized product moves

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix UI test: form queryset already rejects unauthorized products

The EngForm product queryset is filtered to authorized products, so
submitting an unauthorized product fails form validation (200) before
the view-level permission check runs. Update the test to accept both
200 and 403 -- the key assertion is that the engagement does not move.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix ruff lint: docstring formatting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Documents a repeatable 10-phase process for reorganizing domain modules
(finding, test, engagement, product, product_type) to match the dojo/url/
reference pattern. Includes service-layer extraction guidance to support
the long-term goal of removing the classic UI and going fully API-based.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Remove unnecessary template filter from auditor and mitigated_by
fields in the endpoints snippet to align with standard Django
template rendering conventions.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…mport/reimport (#14636)

* Fix reimport-scan API authorization bypass via conflicting identifiers

Validate that ID-resolved objects (test, engagement) are consistent with
name-based identifiers (product_name, engagement_name) in both the
permission check layer and the AutoCreateContextManager resolution layer.
This prevents an attacker from passing their own engagement/test ID to
satisfy the permission check while using name-based fields to target a
victim's product.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Use ID-based comparisons and add engagement_name check to import

- Switch permission checks to use ID comparisons (product_id, engagement_id)
  where resolved objects are available, with name fallback for unresolved cases
- Add engagement_name validation to UserHasImportPermission (was missing)
- Fix ruff string quoting in auto_create_context.py

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Strip undeclared engagement field in reimport permission check

The engagement field is not declared on ReImportScanSerializer and gets
stripped during validation. The permission check must also strip it so it
resolves targets the same way execution does — by name, not by a stale
engagement ID from request.data.

Update test to verify the engagement param is ignored and permission is
checked against the name-resolved target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix information disclosure in conflict validation error messages

Replace error messages that leaked resolved object names (product names,
engagement names) with generic messages. An attacker could enumerate
object names by sending conflicting ID-based and name-based identifiers
and reading the detailed error responses.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com>

…o-DefectDojo into report-css-fix

🎉 add mozilla foundation sec advice to vulnid

…laybook

docs: add CLAUDE.md with module reorganization playbook

fix css overflow issue - reports

* Add OSS subscriber for Open Source Messaging banner

Fetches a markdown message from the DaaS-published GCS bucket, renders
the bleached headline and optional expanded section through the existing
additional_banners template loop. Cached for 1h; any fetch/parse failure
silently yields no banner. No Django settings introduced — disabling the
banner requires forking.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Enable nl2br in expanded markdown and fold module into dojo.announcement

Single newlines in the expanded body now render as <br>, so authored
markdown lays out multi-line. Module folded into the existing
dojo/announcement/ app and test patch paths updated.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Use <button> for banner toggle and clean focus styling

Anchor-based toggle picked up Bootstrap alert link styles and a
lingering focus outline after click, which showed as a stray glyph next
to the caret. A plain <button type="button"> avoids link decoration
entirely; focus outline and transition are also dropped so the caret
flips instantly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Replace DD_CLOUD_BANNER with centralized additional_banners system

Migrate all promotional messaging to the additional_banners context
processor pattern. Product announcements now store banners in the
session for rendering via the unified template loop. Each banner
carries a source field (os, product_announcement) so downstream
repos can filter by origin.

- Remove DD_CREATE_CLOUD_BANNER setting and env var entirely
- Repurpose ProductAnnouncementManager to use session-based banners
- Remove evaluate_pro_proposition celery task and beat schedule
- Remove create_announcement_banner from initialization command
- Simplify announcement signal to remove cloud-specific logic
- Add SHOW_PLG_LINK context variable for PLG menu item control
- Rename os-banner-* CSS classes to generic banner-* classes
- Add data-source attribute to banner template markup
- Switch OS message bucket URL from dev to prod
- Add 52 tests covering context processor and product announcements

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Remove unused import and add docstring to TestBannerDictSchema

* Fix ruff FURB189: use UserDict instead of dict subclass

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>