Allow enabling Django Debug Toolbar via env variable

[valentijnscholten]

This PR changes the importing of the extra urls for the debug toolbaar a bit to make it work with Django Debug Toolbar 6.0.0.

The debug toolbar is now also included by default in settings.dist.py, but in disabled state.

It can be enabled by setting `` to True. It's disabled by default, except when running in dev mode. Hopefully every PR author from now on will check the toolbar for any adverse performance effects :-)

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[valentijnscholten]

converted back to draft as it doesn't work "anymore", will investigate.

[valentijnscholten]

converted back to draft as it doesn't work "anymore", will investigate.

fixed

[dryrunsecurity]

This pull request leaves the Django Debug Toolbar configured to be unconditionally visible (the show_toolbar callback always returns True), so if DJANGO_DEBUG_TOOLBAR_ENABLED is set in a production environment it could expose sensitive debugging information. The issue is in dojo/settings/settings.dist.py where the toolbar visibility is effectively unrestricted.

Potential Information Disclosure via Debug Toolbar in dojo/settings/settings.dist.py

Vulnerability

Potential Information Disclosure via Debug Toolbar

Description

The Django Debug Toolbar is configured to be unconditionally visible if enabled, due to the show_toolbar callback always returning True. This means that if DJANGO_DEBUG_TOOLBAR_ENABLED is set to True in a production environment, sensitive debugging information (such as SQL queries, request/response data, and application settings) could be exposed to any visitor, leading to severe information disclosure.

django-DefectDojo/dojo/settings/settings.dist.py

Lines 1942 to 1986 in 674c646

	warnings.filterwarnings("ignore", "The FORMS_URLFIELD_ASSUME_HTTPS transitional setting is deprecated.")
	FORMS_URLFIELD_ASSUME_HTTPS = True
	# Inspired by https://adamj.eu/tech/2023/12/07/django-fix-urlfield-assume-scheme-warnings/
	if DEBUG:
	# adding DEBUG logging for all of Django.
	LOGGING["loggers"]["root"] = {
	"handlers": ["console"],
	"level": "DEBUG",
	}
	if DJANGO_DEBUG_TOOLBAR_ENABLED:
	INSTALLED_APPS += (
	"debug_toolbar",
	)
	MIDDLEWARE = ["debug_toolbar.middleware.DebugToolbarMiddleware", *MIDDLEWARE]
	def show_toolbar(request):
	return True
	DEBUG_TOOLBAR_CONFIG = {
	"SHOW_TOOLBAR_CALLBACK": show_toolbar,
	"INTERCEPT_REDIRECTS": False,
	"SHOW_COLLAPSED": True,
	}
	DEBUG_TOOLBAR_PANELS = [
	# 'ddt_request_history.panels.request_history.RequestHistoryPanel', # Here it is
	"debug_toolbar.panels.versions.VersionsPanel",
	"debug_toolbar.panels.timer.TimerPanel",
	"debug_toolbar.panels.settings.SettingsPanel",
	"debug_toolbar.panels.headers.HeadersPanel",
	"debug_toolbar.panels.request.RequestPanel",
	"debug_toolbar.panels.sql.SQLPanel",
	"debug_toolbar.panels.templates.TemplatesPanel",
	# 'debug_toolbar.panels.staticfiles.StaticFilesPanel',
	"debug_toolbar.panels.cache.CachePanel",
	"debug_toolbar.panels.signals.SignalsPanel",
	# 'debug_toolbar.panels.logging.LoggingPanel',
	"debug_toolbar.panels.redirects.RedirectsPanel",
	"debug_toolbar.panels.profiling.ProfilingPanel",
	# 'cachalot.panels.CachalotPanel',
	]

---

All finding details can be found in the DryRun Security Dashboard.

[Maffooch]

This is a very elegant approach here - great work!

[mtesauro]

Approved