Merge pull request #3624 from DefectDojo/release/1.11.1

Release: Merge release into master from: release/1.11.1

Author: valentijnscholten

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "DefectDojo",
-  "version": "1.11.0",
+  "version": "1.11.1",
   "dependencies": {
     "JUMFlot": "jumjum123/JUMFlot#*",
     "bootstrap": "^3.4.0",

dojo/__init__.py

@@ -6,6 +6,6 @@
 
 default_app_config = 'dojo.apps.DojoAppConfig'
 
-__version__ = '1.11.0'
+__version__ = '1.11.1'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'http://defectdojo.readthedocs.io/'

dojo/endpoint/views.py

@@ -18,7 +18,8 @@
 from dojo.forms import EditEndpointForm, \
     DeleteEndpointForm, AddEndpointForm, DojoMetaDataForm
 from dojo.models import Product, Endpoint, Finding, System_Settings, DojoMeta, Endpoint_Status
-from dojo.utils import get_page_items, add_breadcrumb, get_period_counts, get_system_setting, Product_Tab, calculate_grade
+from dojo.utils import get_page_items, add_breadcrumb, get_period_counts, get_system_setting, Product_Tab, \
+    calculate_grade, redirect
 from dojo.notifications.helper import create_notification
 from dojo.user.helper import user_must_be_authorized
 
@@ -441,7 +442,7 @@ def endpoint_status_bulk_update(request, fid):
                                     messages.ERROR,
                                     'Unable to process bulk update. Required fields were not selected.',
                                     extra_tags='alert-danger')
-    return HttpResponseRedirect(post['return_url'])
+    return redirect(post['return_url'])
 
 
 def prefetch_for_endpoints(endpoints):

dojo/product/views.py

@@ -196,7 +196,11 @@ def identify_view(request):
     get_data = request.GET
     view = get_data.get('type', None)
     if view:
-        return view
+        # value of view is reflected in the template, make sure it's valid
+        # although any XSS should be catch by django autoescape, we see people sometimes using '|safe'...
+        if view in ['Endpoint', 'Finding']:
+            return view
+        raise ValueError('invalid view, view must be "Endpoint" or "Finding"')
     else:
         if get_data.get('finding__severity', None):
             return 'Endpoint'

dojo/reports/views.py

@@ -27,7 +27,7 @@
     CustomReportJsonForm, ReportOptions, report_widget_factory
 from dojo.tasks import async_pdf_report, async_custom_pdf_report
 from dojo.utils import get_page_items, add_breadcrumb, get_system_setting, get_period_counts_legacy, Product_Tab, \
-    get_words_for_field
+    get_words_for_field, redirect
 from dojo.user.helper import user_must_be_authorized, check_auth_users_list
 
 logger = logging.getLogger(__name__)
@@ -318,7 +318,7 @@ def reports(request):
 def regen_report(request, rid):
     report = get_object_or_404(Report, id=rid)
     if report.type != 'Custom':
-        return HttpResponseRedirect(report.options + "&regen=" + rid)
+        return redirect(report.options + "&regen=" + rid)
     else:
         report.datetime = timezone.now()
         report.status = 'requested'

dojo/survey/views.py

@@ -212,7 +212,7 @@ def add_questionnaire(request, eid):
                 return HttpResponseRedirect(reverse(
                     'answer_questionnaire', args=(eid, survey.id)))
 
-            return HttpResponseRedirect('/engagement/%s' % eid)
+            return HttpResponseRedirect(reverse('view_engagement', args=(eid,)))
         else:
             messages.add_message(request,
                                  messages.ERROR,

dojo/tools/acunetix/parser_helper.py

@@ -6,8 +6,6 @@
 # from memory_profiler import profile #Comment out this and profile in defectdojo repo
 import html2text
 
-logging.basicConfig(level=logging.ERROR)
-
 SCAN_NODE_TAG_NAME = "Scan"
 ACUNETIX_XML_SCAN_IGNORE_NODES = ['Technologies', 'Crawler']
 ACUNETIX_XML_REPORTITEM_IGNORE_NODES = ['CVEList', 'CVSS', 'CVSS3']
@@ -21,7 +19,7 @@ def get_root_node(filename):
     :return:
     """
     try:
-        tree = etree.parse(filename)
+        tree = etree.parse(filename, etree.XMLParser(resolve_entities=False))
         return tree.getroot()
     except XMLSyntaxError as xse:
         logging.error("ERROR : error parsing XML file {filename}".format(filename=filename))

dojo/tools/qualys_webapp/parser.py

@@ -232,6 +232,7 @@ def qualys_webapp_parser(qualys_xml_file, test):
     if qualys_xml_file is None:
         return []
 
+    # supposed to be safe against XEE: https://docs.python.org/3/library/xml.html#xml-vulnerabilities
     tree = xml.etree.ElementTree.parse(qualys_xml_file)
     is_app_report = tree.getroot().tag == 'WAS_WEBAPP_REPORT'
 

dojo/tools/veracode/parser.py

@@ -27,7 +27,7 @@ def __init__(self, filename, test):
             self.items = list()
             return
         try:
-            xml = etree.parse(filename)
+            xml = etree.parse(filename, etree.XMLParser(resolve_entities=False))
         except:
             raise NamespaceErr('Cannot parse this report. Make sure to upload a proper Veracode Detailed XML report.')
 

dojo/unittests/test_deduplication_logic.py

@@ -6,9 +6,6 @@
 logger = logging.getLogger(__name__)
 deduplicationLogger = logging.getLogger("dojo.specific-loggers.deduplication")
 
-loglevel = logging.DEBUG
-logging.basicConfig(level=loglevel)
-
 # things to consider:
 # - cross scanner deduplication is still flaky as if some scanners don't provide severity, but another doesn, the hashcode will be different so no deduplication happens.
 #   so I couldn't create any good tests