-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allowed hosts based on cidr #10504
Conversation
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The provided code changes focus on updating the dependencies and security-related configurations for the DefectDojo application, which is a web-based open-source application for managing application security programs. The key changes include:
From an application security perspective, these changes appear to be focused on enhancing the security of the DefectDojo application. However, it is essential to review the actual values of the security-related configurations and ensure they are properly secured and aligned with the application's security requirements. Files Changed:
Powered by DryRun Security |
Can you include also some unit tests? Maybe similar to: django-DefectDojo/unittests/test_remote_user.py Lines 135 to 163 in 659f50b
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
@fcecagno No problem with this change but agree with kiblik about the need for a unit test before it gets reviewed/approved. |
Thanks for the review, I agree with you and will work on this. |
Closed as stale. We're happy to have you reopen this PR if you're ready to complete the missing parts. |
Description
This modification install django-allow-cidr (https://pypi.org/project/django-allow-cidr/) so Django allowed hosts can be set as CIDR instead of domain name or IP address. This is very important for Kubernetes deployments: if Django metrics are enabled and we configure a ServiceMonitor to fetch metrics, an arbitrary pod will fetch the metrics from the Django pods, which typically won't be allowed:
Setting
extraConfigs.DD_ALLOWED_CIDR_NETS: '10.244.0.0/16'
, the request will work and the problem will go away. IfDD_ALLOWED_CIDR_NETS
is not set, the previous behavior is kept.