Skip to content

engagement: allow unlinking of JIRA epic #13333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 8, 2025
Merged

engagement: allow unlinking of JIRA epic #13333

merged 1 commit into from
Oct 8, 2025

Conversation

@valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Oct 5, 2025
edited
Loading

Sometimes you find a bug report or feature request that is a good match for an LLM.

This PR fixes #9071

image

@valentijnscholten valentijnscholten added this to the 2.52.0 milestone Oct 5, 2025
@github-actions github-actions bot added the ui label Oct 5, 2025
@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 5, 2025

DryRun Security

This pull request includes a broad except Exception: in dojo/engagement/views.py around unlink_jira that logs the full exception via logger.exception, which risks recording sensitive JIRA API request/response details or stack traces in internal logs; while it returns a generic 500 to users, the internal logging could expose sensitive information if logs are accessed. Consider narrowing the exception handling and avoiding logging sensitive response details (or sanitize/redact them) before writing to logs.

Broad Exception Handling with Sensitive Data Logging in dojo/engagement/views.py
Vulnerability Broad Exception Handling with Sensitive Data Logging
Description The unlink_jira function uses a broad except Exception: block when calling jira_helper.unlink_jira. Interactions with external APIs like JIRA can raise exceptions containing sensitive information (e.g., API request/response details, internal URLs, detailed JIRA error messages, or stack traces from the client library). While the generic HTTP 500 response prevents direct leakage to the user, the logger.exception call will log these potentially sensitive details internally. If an attacker gains access to these logs, they could exfiltrate sensitive information, which constitutes a security risk.

django-DefectDojo/dojo/engagement/views.py

Lines 1153 to 1156 in d6cc3b2

except Exception:
logger.exception("Link to JIRA epic could not be deleted")
messages.add_message(
request,

All finding details can be found in the DryRun Security Dashboard.

mtesauro
mtesauro approved these changes Oct 6, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch requested review from Jino-T and blakeaowens October 7, 2025 14:59
@valentijnscholten valentijnscholten merged commit c8c4750 into DefectDojo:dev Oct 8, 2025
147 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees

No one assigned

Labels

ui

Projects

None yet

Milestone

2.52.0

Development

Successfully merging this pull request may close these issues.

5 participants

@valentijnscholten @mtesauro @Maffooch @Jino-T @blakeaowens