🐛 add user mention notifications in note creation for Engagement, Finding, and Tests #13696
+29
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This pull request may disclose sensitive information in tag/mention notifications because notification messages include fields like engagement.name, finding.title, and test.title without checking that mentioned users are authorized to view those objects, potentially sending sensitive data via email, Slack, Teams, webhooks, and in-app alerts to unauthorized recipients.
Information Disclosure via Tagged Notifications in
|
| Vulnerability | Information Disclosure via Tagged Notifications |
|---|---|
| Description | The engagement.name is included in notifications sent to users who are tagged in a note. The notification system does not verify if the tagged user has appropriate permissions to view the associated engagement. If sensitive information is stored in the engagement.name field, it can be disclosed to unauthorized users through these notifications. |
django-DefectDojo/dojo/api_v2/views.py
Lines 540 to 543 in f86081c
Information Disclosure in Finding Notifications in dojo/api_v2/views.py
| Vulnerability | Information Disclosure in Finding Notifications |
|---|---|
| Description | The finding.title, which can contain sensitive details about a vulnerability, is included in notifications sent to users mentioned in a note. There is no authorization check to ensure that the mentioned user has permission to view the specific finding, leading to potential information disclosure to unauthorized individuals. |
django-DefectDojo/dojo/api_v2/views.py
Lines 1107 to 1110 in f86081c
Potential Information Disclosure in Test Notifications in dojo/api_v2/views.py
| Vulnerability | Potential Information Disclosure in Test Notifications |
|---|---|
| Description | The process_tag_notifications function, when triggered by a note on a Test, sends notifications that include the test.title as parent_title. This parent_title is then used in various notification channels (email, Slack, MS Teams, webhooks, and in-app alerts) as part of the notification content. If test.title contains sensitive information, and the recipients of these notifications are not authorized to view that sensitive information, it could lead to unintended information disclosure. The Test model's title field is a CharField with a max length of 200, and there are no explicit restrictions on the type of data it can store, making it possible for sensitive data to be present. |
django-DefectDojo/dojo/api_v2/views.py
Lines 2165 to 2168 in f86081c
All finding details can be found in the DryRun Security Dashboard.
Jino-T
approved these changes
Nov 13, 2025
valentijnscholten
approved these changes
Nov 13, 2025
blakeaowens
approved these changes
Nov 13, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement user mention notifications during note creation for Engagement, Finding, and Tests to enhance user engagement and communication. This change ensures that relevant users are notified when they are mentioned in notes, improving collaboration within the application.
[sc-12041]