Skip to content

Release: Merge back 2.47.1 into dev from: master-into-dev/2.47.1-2.48.0-dev #12573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Parent: jira_integration: changes risk acceptance expiration date to a better default
merged 10 commits into from
Jun 9, 2025
Merged

Release: Merge back 2.47.1 into dev from: master-into-dev/2.47.1-2.48.0-dev #12573

merged 10 commits into from
Jun 9, 2025

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Jun 9, 2025

Release triggered by rossops

DefectDojo release bot and others added 9 commits June 2, 2025 17:05
Update versions in application files
8b10482
@rossops
Merge pull request #12543 from DefectDojo/master-into-bugfix/2.47.0-2…
926519b 
….48.0-dev

Release: Merge back 2.47.0 into bugfix from: master-into-bugfix/2.47.0-2.48.0-dev
@skywalke34 @Maffooch @hblankenship
Pro Feature - Deduplication tuning documentation update (#12471)
4731d08 
* Update pro_features.md

Add Deduplication Tuning section and link to X-tool deduplication screenshot.

* Deduplication X tool Deduplication image

image showing cross-tool deduplication screenshot

* Initial version - Deduplication Tuning

documentation of deduplication tuning

* Deduplication Settings Menu

* Additional screenshots for deduplication tuning

Same tool, cross tool, reimport deduplication screenshots with menu selection.

* Update tune_deduplication.md

Added additional information about retroactive execution of deduplication adjustments.

* Update pro_features.md

Cleaned up language about deduplication, increase technical specificity + less markety.
Added newlines for "See our guide for more information" . Some had it / others didn't  - easier navigation visually & to links for more info.

* Update docs/content/en/working_with_findings/finding_deduplication/tune_deduplication.md

* We love the Oxford comma :)

Co-authored-by: Harold Blankenship <[email protected]>

---------

Co-authored-by: Cody Maffucci <[email protected]>
Co-authored-by: Harold Blankenship <[email protected]>
@Maffooch
Session Warning: Prevent timeout overflow for large session ages (#12547
242148b 
)
@paulOsinski
Changelog + Minor Docs Maintenance (#12551)
611bee0 
* update changelog 2.47.0

* change article titles

* change headers for sidebar

---------

Co-authored-by: Paul Osinski <[email protected]>
@Maffooch
SAML Login: Respect next parameter (#12560)
273936c 
* SAML Login: Respect `next` parameter

When logging in with SAML, the `next` parameter is not respected like it is for other SSO providers

* Add pre-wrapper

* Add trailing name
Update versions in application files
3d42de8
@rossops
Merge pull request #12571 from DefectDojo/release/2.47.1
37d8af6 
Release: Merge release into master from: release/2.47.1
Update versions in application files
314c61f
@dryrunsecurity
Copy link

dryrunsecurity bot commented Jun 9, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request contains an open redirect vulnerability in the SAML2 login link that could allow attackers to redirect users to arbitrary external sites, and includes sensitive edits to base and login template files that may require additional review or configuration in .dryrunsecurity.yaml.

⚠️ Open Redirect in dojo/templates/dojo/login.html
Vulnerability Open Redirect
Description The SAML2 login link constructs a redirect URL using unvalidated user input from request.GET.next. This allows an attacker to potentially redirect users to an arbitrary external site after login, which could be used for phishing or other malicious purposes. Best practices recommend validating and sanitizing redirect URLs, preferably using an allow-list of trusted destinations.

django-DefectDojo/dojo/templates/dojo/login.html

Lines 97 to 103 in a38f8cd

{% if SAML2_ENABLED is True %}
<div class="col-sm-offset-1 col-sm-2">
<a id="oauth-login-saml" rel="nofollow" data-method="post" href="/saml2/login?next={{ request.GET.next }}" style="color: rgb(255,255,255)" class="btn btn-success" type="button">{{ SAML2_LOGIN_BUTTON_TEXT }}</a>
</div>
{% endif %}
</div>

⚠️ Configured Codepaths Edit in dojo/templates/base.html
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/templates/base.html
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/templates/dojo/login.html
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@github-actions
Copy link
Contributor Author

github-actions bot commented Jun 9, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions
Copy link
Contributor Author

github-actions bot commented Jun 9, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@rossops rossops merged commit d0f4f51 into dev Jun 9, 2025
79 of 80 checks passed
@rossops rossops deleted the master-into-dev/2.47.1-2.48.0-dev branch June 9, 2025 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

docs helm ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rossops @skywalke34 @Maffooch @paulOsinski