Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File Uploads: Allow FPR format #11157

Merged
merged 3 commits into from
Nov 1, 2024
Merged

File Uploads: Allow FPR format #11157

merged 3 commits into from
Nov 1, 2024

Conversation

manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented Oct 29, 2024
edited by Maffooch
Loading

closes #11153

@github-actions github-actions bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Oct 29, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 29, 2024
edited
Loading

DryRun Security Summary

The pull request updates the configuration of the DefectDojo application, including a change to the SHA-256 hash value of the .settings.dist.py file and the addition of a new file type, .fpr, to the list of acceptable file types that can be uploaded to the application, which should be reviewed to ensure that the updates do not introduce any security risks.

Expand for full summary

Summary:

The code changes in this pull request involve updates to two files related to the configuration of the DefectDojo application. The first change updates the SHA-256 hash value of the .settings.dist.py configuration file, suggesting a legitimate update to the application's configuration. The second change adds a new file type, .fpr, to the list of acceptable file types that can be uploaded to the application.

While these changes do not appear to introduce any obvious security vulnerabilities, it is important to review the actual changes to the configuration files and the application's overall security posture to ensure that the updates do not have any unintended consequences or introduce new security risks. Proper file upload validation, secure configuration management, and thorough input validation are crucial to maintaining the security and reliability of the DefectDojo application.

Files Changed:

  1. dojo/settings/.settings.dist.py.sha256sum: The SHA-256 hash value of the .settings.dist.py configuration file has been updated, indicating a legitimate update to the application's configuration. As an application security engineer, I would recommend reviewing the changes to the .settings.dist.py file to verify that the update does not introduce any security risks.

  2. dojo/settings/settings.dist.py: The changes add a new file type, .fpr, to the list of acceptable file types that can be uploaded to the application. While this change does not appear to introduce any immediate security concerns, it is important to ensure that the application properly validates and sanitizes the uploaded files to prevent potential security vulnerabilities, such as file-based attacks. Additionally, the application's configuration should be regularly reviewed to align with the security requirements and to prevent the inclusion of unnecessary or potentially risky file types.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Oct 30, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch changed the title fix for issue #11153 File Uploads: Allow FPR format Nov 1, 2024
@Maffooch Maffooch merged commit 6d811e0 into DefectDojo:bugfix Nov 1, 2024
73 checks passed
@manuel-sommer manuel-sommer deleted the issue_11153 branch November 1, 2024 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

@grendel513 grendel513 grendel513 approved these changes

Assignees
No one assigned
Labels
settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@manuel-sommer @grendel513 @cneill @mtesauro @Maffooch