Skip to content

fix(webhook): Missing quotation -> broken rendering #12226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mtesauro merged 1 commit into from
Apr 26, 2025
Merged

fix(webhook): Missing quotation -> broken rendering #12226

mtesauro merged 1 commit into from
Apr 26, 2025

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Apr 13, 2025

@kiblik kiblik force-pushed the webhook_notif_quote branch from ddd4ffb to 8992f33 Compare April 13, 2025 10:55
@kiblik kiblik force-pushed the webhook_notif_quote branch from 8992f33 to 7d51357 Compare April 13, 2025 11:06
@github-actions github-actions bot added ui and removed docker labels Apr 13, 2025
@kiblik kiblik force-pushed the webhook_notif_quote branch 2 times, most recently from f4c9f28 to e14d110 Compare April 13, 2025 12:22
@kiblik kiblik force-pushed the webhook_notif_quote branch 2 times, most recently from 59a5a12 to 89b38ae Compare April 22, 2025 19:23
@kiblik kiblik force-pushed the webhook_notif_quote branch from 89b38ae to 954c336 Compare April 22, 2025 20:14
@kiblik kiblik marked this pull request as ready for review April 22, 2025 20:19
@dryrunsecurity
Copy link

dryrunsecurity bot commented Apr 22, 2025

DryRun Security

This pull request contains potential security vulnerabilities including an XSS risk in a JSON template tag, unsafe JSON serialization, and URL exposure in test environments, which could introduce risks related to cross-site scripting, information leakage, and insecure configuration.

💭 Unconfirmed Findings (3)
Vulnerability XSS Vulnerability Potential in as_json.py
Description Identified in dojo/templatetags/as_json.py, this vulnerability involves the use of mark_safe() which bypasses Django's automatic HTML escaping. This could potentially introduce Cross-Site Scripting (XSS) risks if user-controlled data is passed through the filter without proper sanitization.
Vulnerability Unsafe JSON Serialization
Description Located in dojo/templatetags/as_json.py, this issue involves using json.dumps() without additional parameters. This could lead to potential exposure of sensitive information or JSON injection if input is not carefully controlled.
Vulnerability URL Exposure in Test Environment
Description Found in unittests/test_notifications.py, this finding involves multiple hardcoded HTTP (not HTTPS) localhost URLs. While specific to a test environment, it demonstrates potential security configuration risks in URL handling.

All finding details can be found in the DryRun Security Dashboard.

mtesauro
mtesauro approved these changes Apr 24, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit a53fcef into DefectDojo:bugfix Apr 26, 2025
77 checks passed
@kiblik kiblik deleted the webhook_notif_quote branch April 26, 2025 07:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

+1 more reviewer

@hblankenship hblankenship hblankenship approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ui unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @mtesauro @dogboat @hblankenship @Maffooch