Conversation
Co-authored-by: Valentijn Scholten <valentijn.scholten@iodigital.com>
….52.0-dev Release: Merge back 2.51.3 into bugfix from: master-into-bugfix/2.51.3-2.52.0-dev
…ully (#13523) * 🎉 add middleware to handle social auth provider unavailability gracefully * - * - * update according to recommendation * add unittest * update * update on unittest * add integrationtest * update unittest description * udpate * udpate * fix unittest * add authforbidden
* add servicenow docs * update connectors docs * Update docs/content/en/share_your_findings/integrations.md Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update docs/content/en/share_your_findings/integrations_toolreference.md Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> --------- Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
…lery delegation (#13568)
* Added handling for abnormal wazuh severity values * Added unit tests for wazuh abnormal severities * Fixing ruff issue
* priority engine docs * Update docs/content/en/working_with_findings/priority_adjustments.md Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update docs/content/en/working_with_findings/priority_adjustments.md Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> --------- Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
* 🐛 Robustify create_user to handle None value * fix * update * update according to review
github-actions
bot
added
settings_changes
Contributor
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
🔴 Risk threshold exceeded.This pull request modifies several sensitive files (dojo/middleware.py, dojo/pipeline.py, and dojo/templates/dojo/finding_related_row.html) triggering configured codepath alerts, and also changes settings in dojo/settings/settings.dist.py that expose a potential account takeover risk via misconfiguration of DD_SOCIAL_AUTH_CREATE_USER_MAPPING (using non-unique/unverified attributes like fullname). Review these changes carefully and ensure sensitive paths and allowed authors are configured in .dryrunsecurity.yaml and that social-auth mapping uses unique, verified attributes (e.g., email) to prevent account linkage.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/finding_related_row.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/middleware.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Account Takeover via Social Auth Mapping Misconfiguration in dojo/settings/settings.dist.py
| Vulnerability | Account Takeover via Social Auth Mapping Misconfiguration |
|---|---|
| Description | The DD_SOCIAL_AUTH_CREATE_USER_MAPPING setting allows an administrator to define which attribute from a social provider (e.g., 'username', 'email', 'fullname') should be used as the local username during user creation or linking. If this setting is configured to use a non-unique or unverified attribute like 'fullname', an attacker can create a social account with a 'fullname' matching a victim's existing local username. When the attacker attempts to log in via social authentication, the system will use the attacker's social 'fullname' as the username, potentially linking their social account to the victim's local account and leading to an account takeover. |
django-DefectDojo/dojo/settings/settings.dist.py
Lines 113 to 119 in 88361c9
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Contributor
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Maffooch
pushed a commit
to valentijnscholten/django-DefectDojo
that referenced
this pull request
Feb 16, 2026
Release 2.52.0: Merge Bugfix into Dev
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.