Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jira Template: Do not HTML encode before shipping to jira #11640

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Jira Template: Do not HTML encode before shipping to jira #11640

wants to merge 1 commit into from

Conversation

Maffooch
Copy link
Contributor

In cases when a finding has " (very prevalent with JSON blobs) the final body submitted to jira looks something like this:

{
    "findings": [
        {
            "title": "test title3",
            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau",
            "severity": "Medium"
        }
    ]
}

The reason for this is because of the HTML escaping from the render_to_string is tampering with the contents of the finding. To mitigate this, applying the safe template tag to mark the contents of the finding as "not to be touched" allows for the contents to be shipped to jira without issue. This safe template tag can be a scary thing as it may welcome some malicious opportunities if used irresponsibly, but as we are shipping the contents straight to jira, we are offloading the final contents to jira.

[sc-9870]

@github-actions github-actions bot added the ui label Jan 24, 2025
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request enhances the security and readability of the Jira integration in Defect Dojo by adding the |safe filter to template variables and improving the formatting of Jira issue descriptions, while also cautioning about potential XSS vulnerabilities if user-supplied content is not properly sanitized.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and readability of the Jira integration feature in the Defect Dojo application. The key changes include:

  1. Adding the |safe filter to various template variables, such as finding.description, finding.mitigation, finding.impact, finding.steps_to_reproduce, and finding.references. This is a security-related change that helps to prevent potential Cross-Site Scripting (XSS) vulnerabilities by ensuring that the content is rendered as-is, without any HTML escaping.

  2. Improving the formatting and readability of the Jira issue description, making it more user-friendly for Jira users. This includes properly encoding and formatting the finding details, such as the title, severity, CVE, CWE, component information, and status.

While the changes are generally positive from a security perspective, the use of the |safe filter should be carefully reviewed to ensure that all user-supplied content is properly sanitized and validated before rendering. Untrustworthy input that is rendered without proper sanitization can still lead to potential XSS vulnerabilities. Additionally, the Jira issue description may contain sensitive information, and it's important to consider whether all of this data should be exposed or if some of it should be redacted or obfuscated.

Files Changed:

  1. dojo/templates/issue-trackers/jira_full/jira-finding-group-description.tpl: This file contains the template for the Jira finding group description, which is used to generate the content that is pushed to Jira when a group of findings is synchronized. The changes include the addition of the |safe filter to various template variables, ensuring that the content is rendered as-is, without any HTML escaping.

  2. dojo/templates/issue-trackers/jira_full/jira-description.tpl: This file contains the template for the Jira issue description, which is used to render the details of a finding in the Jira issue. The changes include the addition of the |safe filter to various fields, which can introduce potential XSS vulnerabilities if the data is not properly sanitized or validated.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

1 similar comment
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request enhances the security and readability of the Jira integration in Defect Dojo by adding the |safe filter to template variables and improving the formatting of Jira issue descriptions, while also cautioning about potential XSS vulnerabilities if user-supplied content is not properly sanitized.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and readability of the Jira integration feature in the Defect Dojo application. The key changes include:

  1. Adding the |safe filter to various template variables, such as finding.description, finding.mitigation, finding.impact, finding.steps_to_reproduce, and finding.references. This is a security-related change that helps to prevent potential Cross-Site Scripting (XSS) vulnerabilities by ensuring that the content is rendered as-is, without any HTML escaping.

  2. Improving the formatting and readability of the Jira issue description, making it more user-friendly for Jira users. This includes properly encoding and formatting the finding details, such as the title, severity, CVE, CWE, component information, and status.

While the changes are generally positive from a security perspective, the use of the |safe filter should be carefully reviewed to ensure that all user-supplied content is properly sanitized and validated before rendering. Untrustworthy input that is rendered without proper sanitization can still lead to potential XSS vulnerabilities. Additionally, the Jira issue description may contain sensitive information, and it's important to consider whether all of this data should be exposed or if some of it should be redacted or obfuscated.

Files Changed:

  1. dojo/templates/issue-trackers/jira_full/jira-finding-group-description.tpl: This file contains the template for the Jira finding group description, which is used to generate the content that is pushed to Jira when a group of findings is synchronized. The changes include the addition of the |safe filter to various template variables, ensuring that the content is rendered as-is, without any HTML escaping.

  2. dojo/templates/issue-trackers/jira_full/jira-description.tpl: This file contains the template for the Jira issue description, which is used to render the details of a finding in the Jira issue. The changes include the addition of the |safe filter to various fields, which can introduce potential XSS vulnerabilities if the data is not properly sanitized or validated.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Jan 25, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Maffooch @mtesauro