Skip to content

report builder: ensure at least one section is present #13443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 17, 2025
Merged

report builder: ensure at least one section is present #13443

merged 2 commits into from
Oct 17, 2025

Conversation

@valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Oct 16, 2025

Disable Run button until at least one section is added to the report builder at .../reports/builder

Fixes #8687

Screenshot 2025-10-16 202604

@valentijnscholten valentijnscholten added this to the 2.51.2 milestone Oct 16, 2025
@valentijnscholten valentijnscholten linked an issue Oct 16, 2025 that may be closed by this pull request
Reports output just a white page #8687
Closed
3 tasks
@github-actions github-actions bot added the ui label Oct 16, 2025
@mtesauro
Copy link
Contributor

mtesauro commented Oct 16, 2025

Very nice addition 👍

mtesauro
mtesauro approved these changes Oct 16, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro requested review from Jino-T and dogboat October 16, 2025 18:52
@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 16, 2025
edited
Loading

DryRun Security

This pull request relies solely on client-side JavaScript to enforce that at least one report widget is selected before generating a report, but there is no corresponding server-side validation, so an attacker could bypass the client check and invoke the report-generation endpoint with no widgets selected, potentially causing errors, resource exhaustion, or denial of service. Adding server-side validation to verify selected widgets before processing requests is recommended.

Client-Side Enforcement of Security Controls in dojo/templates/dojo/report_builder.html
Vulnerability Client-Side Enforcement of Security Controls
Description The application relies solely on client-side JavaScript to ensure that at least one report widget is selected before a report can be generated. This client-side check can be easily bypassed by an attacker, allowing them to submit requests to the server-side report generation endpoint without any selected widgets. Without corresponding server-side validation, the application may process these invalid requests, leading to potential resource consumption, errors, or even denial of service.

django-DefectDojo/dojo/templates/dojo/report_builder.html

Lines 159 to 171 in 245b98e

function runReport(event) {
var valid = true;
// Require at least one content widget (exclude report options)
if ($('.in-use-widgets ul#sortable2 li').not('.report-options').length === 0) {
alert('Please add at least one section from "Available Widgets" before running.');
event.preventDefault();
return;
}
$('.in-use-widgets .form-control').not('#finding-list .form-control')
.not('#endpoint-list .form-control').not('#wysiwyg-content .form-control')
.not('.bs-searchbox .form-control').not('div').each(function () {

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten merged commit 86a8744 into DefectDojo:bugfix Oct 17, 2025
149 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

Assignees

No one assigned

Labels

ui

Projects

None yet

Milestone

2.51.2

Development

Successfully merging this pull request may close these issues.

Reports output just a white page

5 participants

@valentijnscholten @mtesauro @dogboat @Maffooch @Jino-T