Merge pull request #12541 from DefectDojo/bugfix

Bugfix

Author: rossops

.github/workflows/release-x-manual-helm-chart.yml

@@ -22,6 +22,21 @@ on:
         description: 'Release number'
         required: true
 
+      make_draft:
+        type: boolean
+        description: 'Mark as draft release?'
+        default: true
+
+      make_prerelease:
+        type: boolean
+        description: 'Mark as pre-release?'
+        default: false
+
+      make_latest:
+        type: boolean
+        description: 'Mark as latest?'
+        default: false
+
 jobs:
   release-chart:
     runs-on: ubuntu-latest
@@ -38,7 +53,7 @@ jobs:
       #   id: get-upload-url
       #   uses: pdamianik/release-tag-to-upload-url-action@v1.0.1
       #   with:
-      #     tag: ${{ github.event.inputs.release_number }}
+      #     tag: ${{ inputs.release_number }}
       #     token: ${{ github.token }}
 
       - name: Configure git
@@ -62,24 +77,25 @@ jobs:
         id: pin_image
         run: |-
           yq --version
-          yq -i '.tag="${{ github.event.inputs.release_number }}"'  helm/defectdojo/values.yaml
+          yq -i '.tag="${{ inputs.release_number }}"'  helm/defectdojo/values.yaml
           echo "Current image tag:`yq -r '.tag' helm/defectdojo/values.yaml`"
 
       - name: Package Helm chart
         id: package-helm-chart
         run: |
           mkdir build
           helm package helm/defectdojo/ --destination ./build
-          echo "chart_version=$(ls build | cut -d '-' -f 2 | sed 's|\.tgz||')" >> $GITHUB_ENV
+          echo "chart_version=$(ls build | cut -d '-' -f 2,3 | sed 's|\.tgz||')" >> $GITHUB_ENV
 
-      - name: Create release ${{ github.event.inputs.release_number }}
+      - name: Create release ${{ inputs.release_number }}
         uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
-          name: '${{ github.event.inputs.release_number }} 🌈'
-          tag_name: ${{ github.event.inputs.release_number }}
+          name: '${{ inputs.release_number }} 🌈'
+          tag_name: ${{ inputs.release_number }}
           body: Run the release drafter to populate the release notes.
-          draft: true
-          prerelease: false
+          draft: ${{ inputs.make_draft }}
+          prerelease: ${{ inputs.make_prerelease }}
+          make_latest: ${{ inputs.make_latest }}
           files: ./build/defectdojo-${{ env.chart_version }}.tgz
           token: ${{ secrets.GITHUB_TOKEN }}
         env:
@@ -96,9 +112,9 @@ jobs:
           git checkout helm-charts
           git pull
           if [ ! -f ./index.yaml ]; then
-            helm repo index ./build --url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/download/${{ github.event.inputs.release_number }}/"
+            helm repo index ./build --url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/download/${{ inputs.release_number }}/"
           else
-            helm repo index ./build --url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/download/${{ github.event.inputs.release_number }}/" --merge ./index.yaml
+            helm repo index ./build --url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/download/${{ inputs.release_number }}/" --merge ./index.yaml
           fi
           cp -f ./build/index.yaml ./index.yaml
           git add ./index.yaml

.github/workflows/release-x-nightly.yml

@@ -77,5 +77,6 @@ jobs:
     uses: ./.github/workflows/release-x-manual-helm-chart.yml
     with:
       release_number: ${{ inputs.tag-to-apply }}
+      make_draft: false
+      make_prerelease: true
     secrets: inherit
-

dojo/jira_link/helper.py

@@ -667,27 +667,48 @@ def push_to_jira(obj, *args, **kwargs):
         raise ValueError(msg)
 
     if isinstance(obj, Finding):
-        finding = obj
-        if finding.has_jira_issue:
-            return update_jira_issue_for_finding(finding, *args, **kwargs)
-        return add_jira_issue_for_finding(finding, *args, **kwargs)
-
-    if isinstance(obj, Engagement):
-        engagement = obj
-        if engagement.has_jira_issue:
-            return update_epic(engagement, *args, **kwargs)
-        return add_epic(engagement, *args, **kwargs)
+        return push_finding_to_jira(obj, *args, **kwargs)
 
     if isinstance(obj, Finding_Group):
-        group = obj
-        if group.has_jira_issue:
-            return update_jira_issue_for_finding_group(group, *args, **kwargs)
-        return add_jira_issue_for_finding_group(group, *args, **kwargs)
+        return push_finding_group_to_jira(obj, *args, **kwargs)
 
+    if isinstance(obj, Engagement):
+        return push_engagement_to_jira(obj, *args, **kwargs)
     logger.error("unsupported object passed to push_to_jira: %s %i %s", obj.__name__, obj.id, obj)
     return None
 
 
+# we need thre separate celery tasks due to the decorators we're using to map to/from ids
+@dojo_model_to_id
+@dojo_async_task
+@app.task
+@dojo_model_from_id
+def push_finding_to_jira(finding, *args, **kwargs):
+    if finding.has_jira_issue:
+        return update_jira_issue(finding, *args, **kwargs)
+    return add_jira_issue(finding, *args, **kwargs)
+
+
+@dojo_model_to_id
+@dojo_async_task
+@app.task
+@dojo_model_from_id(model=Finding_Group)
+def push_finding_group_to_jira(finding_group, *args, **kwargs):
+    if finding_group.has_jira_issue:
+        return update_jira_issue(finding_group, *args, **kwargs)
+    return add_jira_issue(finding_group, *args, **kwargs)
+
+
+@dojo_model_to_id
+@dojo_async_task
+@app.task
+@dojo_model_from_id(model=Engagement)
+def push_engagement_to_jira(engagement, *args, **kwargs):
+    if engagement.has_jira_issue:
+        return update_epic(engagement, *args, **kwargs)
+    return add_epic(engagement, *args, **kwargs)
+
+
 def add_issues_to_epic(jira, obj, epic_id, issue_keys, *, ignore_epics=True):
     try:
         return jira.add_issues_to_epic(epic_id=epic_id, issue_keys=issue_keys, ignore_epics=ignore_epics)
@@ -713,24 +734,6 @@ def add_issues_to_epic(jira, obj, epic_id, issue_keys, *, ignore_epics=True):
             return False
 
 
-# we need two separate celery tasks due to the decorators we're using to map to/from ids
-
-@dojo_model_to_id
-@dojo_async_task
-@app.task
-@dojo_model_from_id
-def add_jira_issue_for_finding(finding, *args, **kwargs):
-    return add_jira_issue(finding, *args, **kwargs)
-
-
-@dojo_model_to_id
-@dojo_async_task
-@app.task
-@dojo_model_from_id(model=Finding_Group)
-def add_jira_issue_for_finding_group(finding_group, *args, **kwargs):
-    return add_jira_issue(finding_group, *args, **kwargs)
-
-
 def prepare_jira_issue_fields(
         project_key,
         issuetype_name,
@@ -926,24 +929,6 @@ def failure_to_add_message(message: str, exception: Exception, _: Any) -> bool:
     return True
 
 
-# we need two separate celery tasks due to the decorators we're using to map to/from ids
-
-@dojo_model_to_id
-@dojo_async_task
-@app.task
-@dojo_model_from_id
-def update_jira_issue_for_finding(finding, *args, **kwargs):
-    return update_jira_issue(finding, *args, **kwargs)
-
-
-@dojo_model_to_id
-@dojo_async_task
-@app.task
-@dojo_model_from_id(model=Finding_Group)
-def update_jira_issue_for_finding_group(finding_group, *args, **kwargs):
-    return update_jira_issue(finding_group, *args, **kwargs)
-
-
 def update_jira_issue(obj, *args, **kwargs):
     def failure_to_update_message(message: str, exception: Exception, obj: Any) -> bool:
         if exception:

dojo/settings/settings.dist.py

@@ -1824,6 +1824,7 @@ def saml2_attrib_map_format(din):
     "DLA-": "https://security-tracker.debian.org/tracker/",  # e.g. https://security-tracker.debian.org/tracker/DLA-3917-1
     "DSA-": "https://security-tracker.debian.org/tracker/",  # e.g. https://security-tracker.debian.org/tracker/DSA-5791-1
     "DTSA-": "https://security-tracker.debian.org/tracker/",  # e.g. https://security-tracker.debian.org/tracker/DTSA-41-1
+    "ELA-": "https://www.freexian.com/lts/extended/updates/",  # e.g. https://www.freexian.com/lts/extended/updates/ela-1387-1-erlang
     "ELBA-": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html
     "ELSA-": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html
     "FEDORA-": "https://bodhi.fedoraproject.org/updates/",  # e.g. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-06aa7dc422

dojo/templates/dojo/components.html

@@ -16,9 +16,9 @@ <h3 class="has-filters">
                     </div>
                 </h3>
             </div>
-        </div>
-        <div id="the-filters" class="is-filters panel-body collapse {% if filter.form.has_changed %}in{% endif %}">
-            {% include "dojo/filter_snippet.html" with form=filter.form %}
+            <div id="the-filters" class="is-filters panel-body collapse {% if filter.form.has_changed %}in{% endif %}">
+                {% include "dojo/filter_snippet.html" with form=filter.form %}
+            </div>
         </div>
         <div class="clearfix">
             {% include "dojo/paging_snippet.html" with page=result page_size=True %}

dojo/templates/dojo/filter_js_snippet.html

@@ -37,7 +37,7 @@
     {% if title_words %}
         var title_words = [
                 {% for word in title_words %}
-                    "{{word}}",
+                    "{{word|escapejs}}",
                 {% endfor %}
             ];
             {% comment %}ideally we use the form.prefix but then we have the trailing dash... django templates are hard{% endcomment %}
@@ -49,7 +49,7 @@
     {% if component_words %}
             var component_words = [
                 {% for word in component_words %}
-                    "{{word}}",
+                    "{{word|escapejs}}",
                 {% endfor %}
             ];
 

dojo/templates/dojo/product_components.html

@@ -14,9 +14,9 @@ <h3 class="has-filters">
                         </div>
                     </h3>
             </div>
-        </div>
-        <div id="the-filters" class="is-filters panel-body collapse {% if filter.form.has_changed %}in{% endif %}">
-            {% include "dojo/filter_snippet.html" with form=filter.form %}
+            <div id="the-filters" class="is-filters panel-body collapse {% if filter.form.has_changed %}in{% endif %}">
+                {% include "dojo/filter_snippet.html" with form=filter.form %}
+            </div>
         </div>
         <div class="clearfix">
             {% include "dojo/paging_snippet.html" with page=result page_size=True %}

dojo/templatetags/display_tags.py

@@ -789,7 +789,7 @@ def vulnerability_url(vulnerability_id):
                 return settings.VULNERABILITY_URLS[key] + str(vulnerability_id.replace("SSA:", "SSA-"))
             if key == "SSA-" and not re.findall(r"SSA-\d{4}-", vulnerability_id):
                 return "https://cert-portal.siemens.com/productcert/html/" + str(vulnerability_id.lower()) + ".html"
-            if key in {"AVD", "KHV", "C-"}:
+            if key in {"AVD", "KHV", "C-", "ELA-"}:
                 return settings.VULNERABILITY_URLS[key] + str(vulnerability_id.lower())
             if key == "SUSE-SU-":
                 return settings.VULNERABILITY_URLS[key] + str(vulnerability_id.lower().removeprefix("suse-su-")[:4]) + "/" + vulnerability_id.replace(":", "")

tests/finding_test.py

@@ -519,6 +519,49 @@ def test_create_finding_from_template(self):
         self.assertTrue(self.is_success_message_present(text="Finding from template added successfully."))
         self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From Template"))
 
+    @on_exception_html_source_logger
+    def test_create_finding_with_unqiue_characters(self):
+        driver = self.driver
+        # Navigate to All Finding page
+        # goto engagemnent list (and wait for javascript to load)
+        self.goto_all_engagements_overview(driver)
+
+        # Select a previously created engagement title
+        driver.find_element(By.PARTIAL_LINK_TEXT, "Ad Hoc Engagement").click()
+        driver.find_element(By.PARTIAL_LINK_TEXT, "Pen Test").click()
+
+        # Click on the 'dropdownMenu1 button'
+        # logger.info("\nClicking on dropdown menu \n")
+        driver.find_element(By.ID, "dropdownMenu_test_add").click()
+        self.assertNoConsoleErrors()
+        # Click on `Apply Template to Finding`
+        driver.find_element(By.LINK_TEXT, "Finding From Template").click()
+        self.assertNoConsoleErrors()
+        # click on the template of 'App Vulnerable to XSS'
+        logger.info("\nClicking on the template \n")
+        driver.find_element(By.LINK_TEXT, "Use This Template").click()
+        self.assertNoConsoleErrors()
+        driver.find_element(By.ID, "id_title").clear()
+        # Backslash causes error
+        driver.find_element(By.ID, "id_title").send_keys("App Vulnerable to XSS from \\Template")
+        self.assertNoConsoleErrors()
+        # Click the 'finished' button to submit
+        driver.find_element(By.ID, "id_finished").click()
+        self.assertNoConsoleErrors()
+        # Query the site to determine if the finding has been added
+        # Assert to the query to determine status of failure
+        self.assertTrue(self.is_success_message_present(text="Finding from template added successfully."))
+        self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From \\Template"))
+
+        # Navigate back to the finding list
+        driver.find_element(By.LINK_TEXT, "Findings").click()
+        self.assertNoConsoleErrors()
+        driver.find_element(By.LINK_TEXT, "App Vulnerable to XSS from \\Template").click()
+        self.assertNoConsoleErrors()
+
+        # Assert that the finding is present
+        self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS from \\Template"))
+
     @on_exception_html_source_logger
     def test_delete_finding_template(self):
         driver = self.driver