Security/mask slack token field#14325
Open
omartinex wants to merge 10000 commits intoDefectDojo:devfrom
Open
Conversation
…efectDojo#13975) * Fix test_type mismatch validation during reimport (DefectDojo#10219) - Add validation in consolidate_dynamic_tests to detect test_type mismatches during reimport - Raise ValidationError with descriptive message when test_type doesn't match - Validation occurs before any findings are processed or deduplication starts - Add test cases for matching test_type, mismatched test_type, and initial import scenarios - Create test data files for generic parser with different test types Fixes DefectDojo#10219 * fixes * add docs
…finding_jira_sync is enabled (DefectDojo#13983) * Fix JIRA form processing logic * ruff
Release: Merge release into master from: release/2.53.5
* update changelog * correct dates * update screenshots --------- Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
* Handle System_Settings.DoesNotExist in get_from_db Refactor get_from_db method to handle specific exception. * add error message to UI
…13988) * pghistory: add context for each process * pghistory: pass on context to celery tasks * support vue as source --------- Co-authored-by: Valentijn Scholten <valentijn.scholten@iodigital.com>
* finding_templates: make tags work again * finding_templates: reinstate unit tests * finding_templates: remove automated matching logic * finding tempaltes: more auhtoirzation tests to apply template * fixture cleanup * upgrade notes * finding_template: add cvss validation * increase memory hugo * finding_template: align fields with finding model * finding_templates: update api schema * finding_templates: centralize logic * squash migrations * squash migrations * revert git hub pages changes * fix user interface test * update upgrade notes * fix test * move to 2.54 * fix test * move to 2.54 * Bumping hugo version due to memory issue --------- Co-authored-by: Ross Esposito <rossespo@gmail.com>
…e/verified (DefectDojo#13965) * Fix bulk edit validation: prevent duplicate findings from being active/verified - Add validation in FindingBulkUpdateForm to prevent active findings from being risk accepted - Add view-level validation to check existing duplicate status before setting active/verified - Add view-level validation to check existing active status before risk accepting - Add comprehensive user feedback for skipped findings with reasons - Track actually_updated_count to accurately report successful updates Fixes DefectDojo#11336 * add bulk edit validation tests * bulk edit: reduce method complexity
…sabled (DefectDojo#13969) Fixes DefectDojo#13312 When TRACK_IMPORT_HISTORY is disabled, tags were not being applied to findings and endpoints during import because the tag application logic was inside update_import_history() which returned early. Refactored to: - Extract tag application into dedicated apply_import_tags() method - Call apply_import_tags() from importers after update_import_history() - Remove tag application logic from update_import_history() This ensures tags are applied regardless of TRACK_IMPORT_HISTORY setting while maintaining separation of concerns.
- Add 'status' column showing finding status (Active, Verified, etc.) - Add 'notes' column aggregating all public notes for each finding - Filter out private notes from exports for privacy compliance - Add prefetching for notes to avoid N+1 queries - Follow existing patterns for multiline field handling (NEWLINE for CSV, actual newlines for Excel) Fixes DefectDojo#8995
…4 (.github/workflows/validate_docs_build.yml) (DefectDojo#13985) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…x/2.53.5-2.54.0-dev Release: Merge back 2.53.5 into bugfix from: master-into-bugfix/2.53.5-2.54.0-dev
….53.5-2.54.0-dev Release: Merge back 2.53.5 into dev from: master-into-dev/2.53.5-2.54.0-dev
Bumps [django-filter](https://github.com/carltongibson/django-filter) from 25.1 to 25.2. - [Release notes](https://github.com/carltongibson/django-filter/releases) - [Changelog](https://github.com/carltongibson/django-filter/blob/main/CHANGES.rst) - [Commits](carltongibson/django-filter@25.1...25.2) --- updated-dependencies: - dependency-name: django-filter dependency-version: '25.2' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 7.0.0 to 7.1.0. - [Release notes](https://github.com/python-gitlab/python-gitlab/releases) - [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md) - [Commits](python-gitlab/python-gitlab@v7.0.0...v7.1.0) --- updated-dependencies: - dependency-name: python-gitlab dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…file.nginx-alpine) (DefectDojo#13995) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Updated weight for version 2.54.x and modified description.
…3.11 to v (dockerfile.integration-tests-debian) (DefectDojo#14003) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…tialization command (DefectDojo#14002)
* dedupe reopen: add test cases that prove the bug * remove obsolete method * dedupe reopen: proceed with next candidate if candidate is mitigated * rename methods
Fixes DefectDojo#12644 This commit addresses several issues with the risk acceptance API: 1. Risk acceptances created via API now appear in engagement panel - Added engagement.risk_acceptance.add(instance) in create() method - Fixes the main bug where API-created risk acceptances were orphaned 2. Added validation for enable_full_risk_acceptance product setting - API now respects the product-level setting before creating instances - Validates in validate() method to fail early 3. Added protection against engagement switching - Prevents moving risk acceptances between engagements via PATCH/PUT - Validates even when risk acceptance has no findings (edge case) 4. Performance improvement - Use self.instance.accepted_findings.all() instead of filtering 5. Comprehensive API tests - Added test_risk_acceptance_api.py with 7 test cases - Covers all edge cases and validation scenarios - All tests passing Changes: - dojo/api_v2/serializers.py: Enhanced RiskAcceptanceSerializer - unittests/test_risk_acceptance_api.py: New comprehensive test suite
[docs] pro changelog - 2.55.0
…e product reference
…portAndPushTestApi
…jo#14244) * Replace old risk acceptance article and add calendar * revert thulite changes and block renovate * resize images * update lock file * change article directories * content changes * update lock file again --------- Co-authored-by: Paul Osinski <posinski34@gmail.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com>
…DefectDojo#14256) * added testing to ensure duplicate findings are deleted in the correct order * fix ruff issues * Update unittests/test_duplication_loops.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
…Dojo#14253) The Test model uses 'title' field, not 'name'. This fixes the 500 error when filtering findings by Test name with Filter String Matching Optimization enabled. Fixes DefectDojo#14160 Co-authored-by: Cursor <cursoragent@cursor.com>
…anges Update dockerfiles to ensure underlying OS is always running the late…
…o-async-task-base-task-bugfix refactor dojo async task base task (bugfix branch)
…cceptance-api-engagement-link Fix risk acceptance API to link to engagement and add validations and permission check
…xt-patch Auto Create Context: Fetch all objects for correct jira project associations
…efectDojo#14266) The `has_jira_issue` filter only checks if the finding itself has a JIRA issue. For findings in a group where the group has a JIRA issue, this filter doesn't match. A `FindingHasJIRAFilter` that checks both already existed but was never wired up to be visible in the UI or API. Rename it to `has_any_jira_issue`, add help text, and include it in `get_finding_filterset_fields()` so it appears in the finding filters when both JIRA and finding groups are enabled. Closes DefectDojo#12670
…ctDojo#14267) * Add finding group support to jira_status_reconciliation command The jira_status_reconciliation management command only processed individual findings with direct JIRA issues. Finding groups that were pushed to JIRA as groups were completely skipped because their JIRA issue is attached to the Finding_Group model, not to individual findings. This adds a second processing loop for Finding_Group objects with JIRA issues, supporting all three modes (reconcile, push_status_to_jira, import_status_from_jira). The group's aggregate status is derived from its member findings. To avoid pushing the same JIRA issue twice, we use push_status_to_jira directly on the group object (not push_finding_group_to_jira which would also push individual finding JIRA issues already handled by the existing loop). Also adds --include-findings/--no-include-findings and --include-finding-groups/--no-include-finding-groups flags so users can control which types are processed. Closes DefectDojo#14031 * add upgrade notes
…Dojo#14262) * Enhance JIRA synchronization logic in importers and serializers - Updated push_to_jira conditions to include sync behavior based on JIRA instance settings. - Refactored JIRA push logic to check for sync status in FindingSerializer and DefaultImporter. - Improved handling of JIRA instance retrieval and sync checks in DefaultReImporter and BaseImporter. - Added support for prefetched JIRA instance in is_keep_in_sync_with_jira function. * Refactor JIRA sync flag to use 'finding_jira_sync' for consistency in importers and reimporters * Refactor is_keep_in_sync_with_jira function to use a generic object parameter for improved flexibility * Refactor is_keep_in_sync_with_jira function to improve JIRA issue detection and sync logic * Add tests * bulk edit: push groups to JIRA when sync is enabled (DefectDojo#14265) --------- Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
Release: Merge release into master from: release/2.55.2
- Changed slack_token field widget to PasswordInput to prevent token exposure in plain text - Added placeholder text to indicate when token is already configured - Implemented clean_slack_token method to preserve existing token when field is left empty during settings updates - Improves security by masking sensitive credential in UI Fixes: Slack token was visible in plain text in System Settings
🔴 Risk threshold exceeded.This pull request modifies sensitive code paths (dojo/forms.py) and the scanner flagged those edits as sensitive; review the changes carefully and consider updating
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/forms.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Contributor
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Contributor
|
Hi @omartinex we had to force push our dev branch, so to get your PR in a good place again, please do the following:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR improves security in the System Settings page by masking the Slack token field as a password input instead of plain text.
Changes Made
slack_tokenfield widget toPasswordInputto prevent token exposure in plain text********** (configured)to indicate when token is already configuredclean_slack_token()method to preserve existing token when field is left empty during settings updatesSecurity Improvement (not a vulnerability)
This change improves security hygiene by preventing accidental exposure of the Slack token through:
The token was already properly protected in storage and API endpoints. This addresses the UI/UX aspect of credential handling.
Before: Slack token was visible in plain text in the System Settings UI
After: Token is masked with password dots, showing a placeholder when configured
Test results
✅ Tested locally with Docker Compose:
********** (configured)appears when token is already setNo new unit tests added as this is a UI widget change that doesn't alter business logic. The
clean_slack_token()method follows the same pattern as other password fields in Django forms.Documentation
No documentation changes needed. This is an internal UI improvement that doesn't change user-facing functionality or configuration requirements.
Checklist
devdevbranch