Advance OIDC to enable groups mapping #13489
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
settings_changes
manuel-sommer
force-pushed
the
implement_oidc_groups
branch
from
b265c56 to
252f404
Compare
github-actions
bot
added
the
New Migration
🔴 Risk threshold exceeded.This pull request modifies several sensitive backend files (dojo/group/utils.py, dojo/pipeline.py, dojo/models.py, and a DB migration) triggering configured codepath edit alerts, and introduces two functional/security issues: a missing group ownership assignment in group_post_save_handler that can leave newly created groups orphaned during social auth flows, and a potential ReDoS risk from using an administrator-configured regex (OIDC_GROUPS_FILTER) to filter OIDC group names.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/group/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/group/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/db_migrations/0247_alter_dojo_group_social_provider.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Missing Group Ownership Assignment in dojo/group/utils.py
| Vulnerability | Missing Group Ownership Assignment |
|---|---|
| Description | The group_post_save_handler is a post_save signal receiver for Django's Group model. It attempts to assign the currently logged-in user as the owner of a newly created group. However, during the initial social authentication flow (specifically, when a new user logs in via OIDC or AzureAD), the Dojo_User profile object might not yet exist, even though a standard auth.User object has been created. The get_current_user() function returns the auth.User object. The handler then attempts to retrieve the Dojo_User profile associated with this auth.User. If the Dojo_User does not exist at this point, the handler logs an error and returns early, skipping the critical step of assigning the user as a member and owner of the newly created Dojo_Group. This results in an 'orphaned' group that has no assigned owner or members, making it unmanageable through the application's UI or API. |
django-DefectDojo/dojo/group/utils.py
Lines 46 to 47 in b069232
Regular Expression Denial of Service (ReDoS) in dojo/pipeline.py
| Vulnerability | Regular Expression Denial of Service (ReDoS) |
|---|---|
| Description | The update_oidc_groups function uses a regular expression defined in settings.OIDC_GROUPS_FILTER to filter group names received from an OIDC provider. While the regex is configured by a privileged administrator, a malicious or misconfigured OIDC provider could send a crafted group name that, when evaluated against a poorly constructed regex (e.g., one susceptible to catastrophic backtracking), could lead to excessive CPU consumption. This could cause a denial of service for the user attempting to log in, and potentially impact the server's performance if the regex operation is resource-intensive enough. |
django-DefectDojo/dojo/pipeline.py
Lines 122 to 125 in b069232
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Contributor
Author
|
@valentijnscholten could you please take a look here? |
manuel-sommer
changed the title
Contributor
Author
|
Shall I target this also against dev @valentijnscholten ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.