Skip to content

Release: Merge release into master from: release/2.49.1#12962

Merged
rossops merged 14 commits intomasterfrom
release/2.49.1
Aug 11, 2025
Merged

Release: Merge release into master from: release/2.49.1#12962
rossops merged 14 commits intomasterfrom
release/2.49.1

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Aug 11, 2025

Release triggered by rossops

DefectDojo release bot and others added 13 commits August 4, 2025 15:47
Update versions in application files
22e0b93
@rossops
Merge pull request #12912 from DefectDojo/master-into-bugfix/2.49.0-2…
284378d 
….50.0-dev

Release: Merge back 2.49.0 into bugfix from: master-into-bugfix/2.49.0-2.50.0-dev
@kiblik
Revert "Feat(nginx): Add support for IPv6" (#12916)
84d149e 
This reverts commit e9d9872.
@valentijnscholten
debug toolbar: downgrade to 5.2.0 (#12919)
64a118a
@Maffooch
Webhook Notifications: Support the owner field (#12940)
3816918 
* Webhook Notifications: Support the owner field

* Forgot the `engagement_added` event in docs

* Support the case where the owner is not supplied

* Adding tests

* Adding a new user to the test data had surprising consequences...
@Maffooch
Display Tags: Do not rely on the request object being present (#12939)
6e38ffa
@valentijnscholten
new snyk_issue_api parser for code issues (file based) (#12903)
30b7e21 
* snyk_issue_api: support code items

* make fix_available backward compatible
@valentijnscholten
fix async stuff in perf test (#12901)
ce05b71
@valentijnscholten
restore entrypoint-unit-tests-devDocker.sh (#12904)
33f6e36
@kiblik
Enable ipv6 in nginx (if available) (#12938)
a2bb109 
* Revert "Feat(nginx): Add support for IPv6"

This reverts commit e9d9872.

* Feat(nginx): Add support for IPv6

* proper handling non-IPv6 hosts
@ThiagoCruzBr
ADD: Alternative command to change password (#12931)
0ca79ab 
Alternative command useful for automation.
@Maffooch
Documentation: Guide to testing hugo pipeline locally (#12959)
1980c52 
* Documentation: Guide to testing hugo pipeline locally

* Forgot I was on an a newer version of hugo
Update versions in application files
19c1fe1
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Aug 11, 2025
edited
Loading

DryRun Security

This pull request contains a potential information disclosure vulnerability in the user.tpl webhook template, which exposes sensitive personally identifiable information (PII) such as user ID, email, username, and name without apparent configuration options to limit the data transmission.

Information Disclosure in Webhook Template in dojo/templates/notifications/webhooks/subtemplates/user.tpl
Vulnerability Information Disclosure in Webhook Template
Description The user.tpl template, which is included in various webhook payloads, explicitly exposes sensitive user Personally Identifiable Information (PII) including id, email, username, first_name, and last_name. This means that all webhooks utilizing this template will transmit this PII, creating a risk of information disclosure if the webhook endpoints are not properly secured or if the data is sent to untrusted parties. There are no apparent configuration options to control which PII fields are included in the webhook payload.

django-DefectDojo/dojo/templates/notifications/webhooks/subtemplates/user.tpl

Lines 1 to 16 in 4c4b9c2

{% load display_tags %}
{% load as_json %}
{% if user %}
{% url 'view_user' user.id as user_url_ui %}
{% url 'user-detail' user.id as user_url_api %}
user:
id: {{ user.pk }}
email: {{ user.email | as_json_no_html_esc }}
username: {{ user.username | as_json_no_html_esc }}
first_name: {{ user.first_name | as_json_no_html_esc }}
last_name: {{ user.last_name | as_json_no_html_esc }}
url_ui: {{ user_url_ui | full_url | as_json_no_html_esc }}
url_api: {{ user_url_api | full_url | as_json_no_html_esc }}
{% else %}
user: {{ user | as_json_no_html_esc }}
{% endif %}

All finding details can be found in the DryRun Security Dashboard.

@rossops rossops merged commit 2b63f9e into master Aug 11, 2025
88 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

docker docs helm parser ui unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rossops @kiblik @valentijnscholten @Maffooch @ThiagoCruzBr