Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(disclaimers): Split disclaimers #10902

Open
wants to merge 5 commits into
base: dev
Choose a base branch
from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Sep 12, 2024

Until now, all disclaimers have been the same which is not the best.

Now you can choose between:

  • disclaimer_notifications
  • disclaimer_reports

There is one more to inform users that they should not include any personal information in notes:

  • disclaimer_notes

Plus if there is an internal policy to have a disclaimer in all reports, it is possible to use disclaimer_reports_forced to not allow users to be excluded it.

E.g.:
image

image

@github-actions github-actions bot added the New Migration Adding a new migration file. Take care when merging. label Sep 12, 2024
Copy link

dryrunsecurity bot commented Sep 12, 2024

DryRun Security Summary

The pull request improves the handling of disclaimers in the Defect Dojo application by introducing separate notification-specific disclaimer settings, updating email templates, and implementing conditional rendering to enhance security and flexibility in displaying disclaimers across various contexts.

Expand for full summary

Summary:

The changes in this pull request focus on improving the handling of disclaimers in various parts of the Defect Dojo application, particularly in the context of email notifications. The key changes include:

  1. Introducing separate settings for the disclaimer text to be used in notifications (system_settings.disclaimer_notifications) instead of a generic disclaimer setting.
  2. Updating the email templates to use the new notification-specific disclaimer setting, ensuring that the appropriate disclaimer is displayed in the relevant contexts.
  3. Implementing conditional rendering of the disclaimer sections, so that they are only displayed when the disclaimer text is actually configured.

From an application security perspective, these changes are generally positive as they demonstrate a security-conscious approach to handling sensitive information and user-provided content. By separating the disclaimer settings and using conditional rendering, the risk of potential security vulnerabilities, such as cross-site scripting (XSS), is reduced.

However, it's important to ensure that the content of the system_settings.disclaimer_notifications field is properly sanitized and validated before being displayed in the email templates. Additionally, the application should be reviewed for any other instances where user-provided data is being rendered without proper input validation.

Files Changed:

  1. dojo/db_migrations/0220_system_settings_disclaimer_notif.py: This migration file introduces a new field disclaimer_reports to the System_Settings model, allowing for a custom disclaimer to be included on generated reports.
  2. dojo/db_migrations/0219_system_settings_disclaimer_notif.py: This migration file renames the existing disclaimer field to disclaimer_notifications and adds three new fields: disclaimer_reports, disclaimer_notes, and disclaimer_reports_forced.
  3. dojo/models.py: This file contains the updates to the System_Settings model, including the new disclaimer-related fields.
  4. dojo/forms.py: The code changes in this file focus on enhancing the application security features, such as adding disclaimer functionality to various forms and improving the handling of Finding Groups with JIRA.
  5. dojo/templates/dojo/custom_html_report.html: The changes in this file introduce a conditional block to render a disclaimer section in the custom HTML report.
  6. dojo/templates/dojo/endpoint_pdf_report.html: The changes in this file add the | safe filter to the {{ disclaimer }} variable, which could potentially introduce a cross-site scripting (XSS) vulnerability if the disclaimer content is not properly sanitized.
  7. dojo/reports/views.py: The changes in this file update the CustomReport view and the generate_report function to handle the new disclaimer-related settings.
  8. dojo/templates/dojo/finding_pdf_report.html: The changes in this file also add the | safe filter to the {{ disclaimer }} variable, which should be reviewed for potential XSS vulnerabilities.
  9. Various other template files (e.g., dojo/templates/dojo/engagement_pdf_report.html, dojo/templates/dojo/product_endpoint_pdf_report.html, dojo/templates/dojo/form_fields.html, etc.): These files have been updated to use the new system_settings.disclaimer_notifications setting and to handle the disclaimer functionality in a more secure and consistent manner.

Code Analysis

We ran 9 analyzers against 30 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 1 finding
Cross-Site Scripting Analyzer 7 findings

Overall Riskiness

🟡 Please give this pull request extra attention during review.

View PR in the DryRun Dashboard.

@kiblik kiblik changed the title afeat(disclaimers): Split disclaimers feat(disclaimers): Split disclaimers Sep 12, 2024
@github-actions github-actions bot added the ui label Sep 20, 2024
@kiblik kiblik force-pushed the disclaimers branch 6 times, most recently from e3a271b to c9a2893 Compare October 18, 2024 17:34
@kiblik kiblik marked this pull request as ready for review November 20, 2024 11:11
@kiblik kiblik requested review from Maffooch and mtesauro November 26, 2024 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
New Migration Adding a new migration file. Take care when merging. ui
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant