Skip to content

Advance OIDC to enable groups mapping #13489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
manuel-sommer wants to merge 17 commits into
base: dev
Choose a base branch
from
Open

Advance OIDC to enable groups mapping #13489

manuel-sommer wants to merge 17 commits into from

Conversation

@manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented Oct 21, 2025
edited
Loading

  • Implement OIDC groups to be parsed.
  • Added Unittests for update_oidc_groups and update_azure_groups

@github-actions github-actions bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Oct 21, 2025
@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. unittests labels Oct 30, 2025
@manuel-sommer manuel-sommer marked this pull request as ready for review October 31, 2025 06:47
@github-actions github-actions bot added the docs label Oct 31, 2025
@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 31, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request modifies multiple sensitive codepaths (dojo/pipeline.py, dojo/models.py, dojo/group/utils.py, and a DB migration) flagged for sensitive edits and requiring verification against .dryrunsecurity.yaml, and it also introduces a potential ReDoS risk by using the admin-configurable settings.OIDC_GROUPS_FILTER directly in re.search without validation or timeout. Reviewers should confirm allowed authors/paths in .dryrunsecurity.yaml and validate or safely handle the OIDC regex to mitigate catastrophic backtracking.

🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/models.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/db_migrations/0252_alter_dojo_group_social_provider.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/group/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/models.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/group/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/group/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Regular Expression Denial of Service (ReDoS) in dojo/pipeline.py
Vulnerability Regular Expression Denial of Service (ReDoS)
Description The function uses a user-configurable setting, settings.OIDC_GROUPS_FILTER, directly as a regular expression pattern in re.search(). There is no validation on the complexity of this pattern, nor is there a timeout mechanism. If an administrator configures a vulnerable regex (e.g., one susceptible to catastrophic backtracking), an attacker who can influence the group names returned by the OIDC provider could trigger a Denial of Service.

django-DefectDojo/dojo/pipeline.py

Lines 122 to 125 in 94d7f89

if group_filter and not re.search(group_filter, group_name):
logger.debug(f"Skipping group '{group_name}' due to OIDC_GROUPS_FILTER: {group_filter}")
continue
filtered_group_names.append(group_name)

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Oct 31, 2025

@valentijnscholten could you please take a look here?

@manuel-sommer manuel-sommer changed the title Implement OIDC groups mapping Advance OIDC to enable groups mapping Nov 4, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 17, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@manuel-sommer manuel-sommer changed the base branch from bugfix to dev December 17, 2025 10:31
@runderwoodcr14
Copy link
Contributor

runderwoodcr14 commented Jan 13, 2026

This feature is really needed, I think will make a great leap towards Cloud Native using CNCF landscape

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

docs New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@manuel-sommer @runderwoodcr14