Skip to content

Release: Merge back 2.50.2 into dev from: master-into-dev/2.50.2-2.51.0-dev#13240

Merged
rossops merged 17 commits intodevfrom
master-into-dev/2.50.2-2.51.0-dev
Sep 22, 2025
Merged

Release: Merge back 2.50.2 into dev from: master-into-dev/2.50.2-2.51.0-dev#13240
rossops merged 17 commits intodevfrom
master-into-dev/2.50.2-2.51.0-dev

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Sep 22, 2025

Release triggered by rossops

DefectDojo release bot and others added 15 commits September 15, 2025 15:17
Update versions in application files
45adce5
@rossops
Merge pull request #13175 from DefectDojo/master-into-bugfix/2.50.2-2…
05ca7ab 
….51.0-dev

Release: Merge back 2.50.2 into bugfix from: master-into-bugfix/2.50.2-2.51.0-dev
@valentijnscholten
product grade: only update product if grade has changed (#13123)
1a80117 
* product grade: only update product if grade has changed

* product grade: only update product if grade has changed
@valentijnscholten
Fix naive datetime warnings/errors (#13170)
57069ba 
* test filter on last_status_update

* test filter on last_status_update

* make datetimes timezone aware
@manuel-sommer
NN vulnid (#13180)
c45aa56
@manuel-sommer @Maffooch
💄 Update Wazuh v4.8 (#13184)
cb01b7d 
* 💄 Update Wazuh v4.8

* ruff

* update

* update

* Update dojo/tools/wazuh/v4_8.py

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>

---------

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
@manuel-sommer
🎉 Add fix_available information to blackduck component risk #12633 (#…
8a1992c 
…13201)
@valentijnscholten
bulk edit: update under_review flag (#13179)
f75d375 
* bulk edit: updae under_review flag

* bulk edit: updae under_review flag
@Maffooch
Tags: Remove duplicates in edit forms
887d426
@Maffooch
Correcting ruff
9ca1c58
@paulOsinski
[docs] changelog 2.50.2, minor changes (#13226)
1d1b84e 
* add sticker link

* update changelog 2.50.2

* update generic findings documentation

---------

Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@rossops
Merge pull request #13228 from DefectDojo/duplicate-tag-patch
0b53add 
Tags: Remove duplicates in edit forms
Update versions in application files
f69c5a0
@rossops
Merge pull request #13238 from DefectDojo/release/2.50.3
15141de 
Release: Merge release into master from: release/2.50.3
Update versions in application files
07fb8ab
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Sep 22, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request modifies multiple sensitive codepaths (files under dojo/ such as utils.py, forms.py, filters.py, engagement/views.py, finding/views.py, metrics/utils.py, test/views.py) flagged by the configured codepaths scanner, and it contains two concrete risks: a code‑injection vulnerability where the user‑editable System_Settings.product_grade CharField is passed to asteval in calculate_grade, and an unbounded tag‑creation/resource exhaustion risk in the TagField implementation; please review these changes carefully or update .dryrunsecurity.yaml to explicitly allow the edits.

🔴 Configured Codepaths Edit in dojo/forms.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/engagement/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/filters.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/finding/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/forms.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/metrics/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/test/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/filters.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/finding/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/forms.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/metrics/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Resource Exhaustion via Unbounded Tag Creation in dojo/forms.py
Vulnerability Resource Exhaustion via Unbounded Tag Creation
Description The TagField implementation, which uses django-tagulous, lacks explicit limits on the length of individual tags and the total number of unique tags that can be created. While a tag_validator exists to prevent certain characters, it does not address the core issue of resource consumption. This allows a malicious user to create an excessive number of long, unique tags, leading to potential database bloat, performance degradation, and ultimately, resource exhaustion or denial of service.

django-DefectDojo/dojo/forms.py

Lines 343 to 352 in bb35fe8

product_manager = forms.ModelChoiceField(queryset=Dojo_User.objects.exclude(is_active=False).order_by("first_name", "last_name"), required=False)
technical_contact = forms.ModelChoiceField(queryset=Dojo_User.objects.exclude(is_active=False).order_by("first_name", "last_name"), required=False)
team_manager = forms.ModelChoiceField(queryset=Dojo_User.objects.exclude(is_active=False).order_by("first_name", "last_name"), required=False)
tags = TagField(
required=False,
help_text="Add tags that help describe this product. Choose from the list or add new tags. Press Enter key to add.",
)
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)

Code Injection via User-Editable product_grade Field in dojo/utils.py
Vulnerability Code Injection via User-Editable product_grade Field
Description The product_grade field, which is directly used in an aeval call within the calculate_grade function, is a user-editable CharField in the System_Settings model. This means an authenticated administrator can input arbitrary Python code into this field. When calculate_grade is executed, this arbitrary code will be evaluated by the asteval interpreter, leading to a code injection vulnerability. The patch itself modifies how the result of this evaluation is used, but does not address the underlying vulnerability of user-controlled input being passed to aeval.

django-DefectDojo/dojo/utils.py

Lines 1596 to 1608 in bb35fe8

aeval = Interpreter()
aeval(system_settings.product_grade)
grade_product = f"grade_product({critical}, {high}, {medium}, {low})"
prod_numeric_grade = aeval(grade_product)
if prod_numeric_grade != product.prod_numeric_grade:
logger.debug("Updating product %s grade from %s to %s", product.id, product.prod_numeric_grade, prod_numeric_grade)
product.prod_numeric_grade = prod_numeric_grade
super(Product, product).save()
else:
logger.debug("Product %s grade %i is up to date", product.id, prod_numeric_grade)
def get_celery_worker_status():

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Sep 22, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions github-actions Bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs unittests integration_tests parser and removed conflicts-detected labels Sep 22, 2025
@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Sep 22, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@rossops rossops merged commit 09acc8f into dev Sep 22, 2025
290 of 294 checks passed
@rossops rossops deleted the master-into-dev/2.50.2-2.51.0-dev branch September 22, 2025 19:48
Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@rossops
Merge pull request DefectDojo#13240 from DefectDojo/master-into-dev/2…
40b6a56 
….50.2-2.51.0-dev

Release: Merge back 2.50.2 into dev from: master-into-dev/2.50.2-2.51.0-dev
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

docs integration_tests parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rossops @valentijnscholten @manuel-sommer @Maffooch @paulOsinski