Release: Merge back 2.50.4 into dev from: master-into-dev/2.50.4-2.51.0-dev

[github-actions]

Release triggered by rossops

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request introduces several security concerns: two SonarQube API client methods propagate raw error responses in exceptions (risking sensitive info being logged), multiple edits touch sensitive codepaths (files like dojo/jira_link/helper.py, dojo/utils.py, dojo/forms.py flagged by configuration), and Jira integration now inserts unescaped engagement.name and engagement.branch_tag into issue descriptions, creating a potential stored XSS vector.

🔴 Configured Codepaths Edit in dojo/jira_link/helper.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/utils.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/jira_link/helper.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/utils.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/forms.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/forms.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/jira_link/helper.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/forms.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/utils.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/jira_link/helper.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/forms.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/jira_link/helper.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🟡 Potential Cross-Site Scripting in dojo/jira_link/helper.py

Vulnerability

Potential Cross-Site Scripting

Description

The patch assigns user-controllable values (engagement.name and engagement.branch_tag) into the Jira issue "description" field without any escaping or sanitization and then submits them to the Jira API. If either engagement.name or engagement.branch_tag can contain attacker-controlled input (for example, via fields a user can set), that input could include HTML or JavaScript payloads. When Jira renders the issue description in its web UI, those payloads may be interpreted as HTML/JS, leading to stored (persistent) XSS. The code paths of concern are the new concatenation into description and passing that description directly in jira_issue_update_kwargs, which sends the value to the server-side rendering context in Jira.

django-DefectDojo/dojo/jira_link/helper.py

Lines 1401 to 1416 in 460ec82

	jira = get_jira_connection(jira_instance)
	j_issue = get_jira_issue(engagement)
	issue = jira.issue(j_issue.jira_id)
	epic_name = kwargs.get("epic_name")
	if not epic_name:
	epic_name = engagement.name
	description = epic_name
	branch_tag = engagement.branch_tag
	if branch_tag:
	description += "\nBranch: " + branch_tag
	jira_issue_update_kwargs = {
	"summary": epic_name,
	"description": description,
	}
	if (epic_priority := kwargs.get("epic_priority")) is not None:
	jira_issue_update_kwargs["priority"] = {"name": epic_priority}

Information Disclosure via Error Messages in dojo/tools/api_sonarqube/api_client.py

Vulnerability

Information Disclosure via Error Messages

Description

The get_hotspot method in dojo/tools/api_sonarqube/api_client.py raises an exception that includes the raw response.content from the SonarQube API when a request fails. The calling method update_sonarqube_finding in dojo/tools/api_sonarqube/updater.py does not explicitly catch this exception. As a result, the full exception message, including the raw SonarQube API error response content, will be propagated and subsequently logged by the application's default exception handler. If the SonarQube API returns sensitive information (e.g., stack traces, internal paths, configuration details) in its error responses, this information could be exposed in application logs, potentially aiding an attacker in understanding the system's architecture or identifying further vulnerabilities.

django-DefectDojo/dojo/tools/api_sonarqube/api_client.py

Lines 353 to 354 in 460ec82

	f"Unable to get the hotspot rule {rule_id} "
	f"due to {response.status_code} - {response.content}"

Information Disclosure via Error Messages in dojo/tools/api_sonarqube/api_client.py

Vulnerability

Information Disclosure via Error Messages

Description

The transition_hotspot method explicitly includes the raw, decoded content of the SonarQube API's error response in an exception message. This exception is not caught within the update_sonarqube_finding method and will propagate up the call stack, likely resulting in the full error message, including the external API's raw response content, being written to application logs. If SonarQube's error responses contain sensitive information (e.g., stack traces, internal paths, configuration details), this data could be exposed in Defect Dojo's logs.

django-DefectDojo/dojo/tools/api_sonarqube/api_client.py

Lines 439 to 442 in 460ec82

	f'due to {response.status_code} - {response.content.decode("utf-8")}'
	)
	raise Exception(msg)

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.