Conversation
github-actions
Bot
added
docker
settings_changes
|
This pull request introduces a critical potential cross-site scripting (XSS) issue in dojo/tools/anchore_grype/parser.py by concatenating unescaped external strings (vuln_datasource, vuln_urls[], rel_datasource, rel_urls[]) into finding_references using f-strings; if those values come from untrusted inputs and are later rendered into HTML/JS, they can enable XSS. The finding is marked risky but non-blocking, so sanitize or escape external data before rendering to mitigate.
🔴 Potential Cross-Site Scripting in
|
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The parser concatenates external strings (vuln_datasource, vuln_urls[], rel_datasource, rel_urls[]) directly into a finding_references string using f-strings without any escaping or sanitization. If those values originate from untrusted input (scanner output, advisories, or user-supplied data) and are later rendered into an HTML/JS context without appropriate escaping, this creates a path for XSS. |
django-DefectDojo/dojo/tools/anchore_grype/parser.py
Lines 140 to 143 in 10c4133
We've notified @mtesauro.
Comment to provide feedback on these findings.
Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]
Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing
All finding details can be found in the DryRun Security Dashboard.
|
☝️ I guess dry run started before I fixed the target branch |
1 participant
Release 2.56.0 introduce safe zip loading enforcing limits on zip file number and individual file size.
However those were put into constants in tools/utils.py
This PR moves those constants to settings (also configurable by env) for users to adjust to their requirements and risk acceptance.
Note: one of our Fortify reports has >130k "members" 💣