Advance OIDC to enable groups mapping #13489
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
settings_changes
manuel-sommer
force-pushed
the
implement_oidc_groups
branch
from
b265c56 to
252f404
Compare
github-actions
bot
added
the
New Migration
🔴 Risk threshold exceeded.This pull request modifies several sensitive files (dojo/pipeline.py, dojo/models.py, dojo/group/utils.py and a DB migration) triggering configured codepath alerts, and includes changes that can create orphaned groups when assigning owners, introduce a ReDoS risk by applying admin-configurable regexes to external OIDC group names, and allow privilege escalation by directly trusting OIDC group claims to grant internal group membership. Please review the OIDC group handling, regex use, and group ownership logic (or update .dryrunsecurity.yaml) before merging.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/group/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/group/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/group/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/pipeline.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/db_migrations/0247_alter_dojo_group_social_provider.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Missing Group Ownership Assignment in dojo/group/utils.py
| Vulnerability | Missing Group Ownership Assignment |
|---|---|
| Description | The group_post_save_handler function attempts to assign the current user as the owner of a newly created group. However, if get_current_user() returns a user object that is not a Dojo_User instance, and the subsequent lookup Dojo_User.objects.get(pk=user.pk) fails (e.g., because the Dojo_User profile has not yet been created during a social authentication flow), the function returns early. This bypasses the ownership assignment logic, leading to the creation of an 'orphaned' group with no assigned owner, making it unmanageable. |
django-DefectDojo/dojo/group/utils.py
Lines 45 to 47 in be4da7f
Regular Expression Denial of Service (ReDoS) in dojo/pipeline.py
| Vulnerability | Regular Expression Denial of Service (ReDoS) |
|---|---|
| Description | The update_oidc_groups function uses a regular expression defined in settings.OIDC_GROUPS_FILTER to filter group names received from an external OIDC provider. The re.search function is called with this potentially user-controlled regex and external input (group_name). If an administrator configures a vulnerable regex pattern (e.g., one susceptible to catastrophic backtracking) in OIDC_GROUPS_FILTER, a malicious or compromised OIDC provider could send a specially crafted group_name that causes the regex engine to consume excessive CPU resources, leading to a denial of service. |
django-DefectDojo/dojo/pipeline.py
Lines 122 to 125 in be4da7f
Privilege Escalation via OIDC Group Claims in dojo/pipeline.py
| Vulnerability | Privilege Escalation via OIDC Group Claims |
|---|---|
| Description | The update_oidc_groups function, when enabled, directly uses group names from the OIDC provider's 'groups' claim to assign users to internal Dojo_Groups. By default, there is no filtering (OIDC_GROUPS_FILTER is an empty string). If an attacker can control the 'groups' claim (e.g., through a misconfigured or malicious OIDC provider), they can inject the name of a high-privilege group (e.g., 'admin') and be automatically granted those privileges within the application. The assign_user_to_groups function is inferred to create or retrieve Dojo_Group objects based solely on the provided name, without additional validation or mapping. |
django-DefectDojo/dojo/pipeline.py
Lines 128 to 129 in be4da7f
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Contributor
Author
|
@valentijnscholten could you please take a look here? |
manuel-sommer
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.