Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RemoteUser: Hide from Swagger #9961

Merged
merged 1 commit into from
May 2, 2024
+17 −1

RemoteUser: Hide from Swagger

eae3221
Select commit
Loading
Failed to load commit list.
Merged

RemoteUser: Hide from Swagger #9961

RemoteUser: Hide from Swagger
eae3221
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Authn/Authz Analyzer succeeded Apr 22, 2024 in 0s

DryRun Security

Details

Potentially Sensitive Functions: 3 detected

⚠️ Potential Authn/Authz Function Used or Modified dojo/remote_user.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a RemoteUserScheme class which is likely related to authentication or authorization. The get_security_definition method in this class suggests that it is responsible for defining the security scheme for the API, which is typically related to authentication or authorization mechanisms.
File Name dojo/remote_user.py
Code Link

django-DefectDojo/dojo/remote_user.py

Lines 98 to 106 in eae3221

priority = 1
def get_security_definition(self, auto_schema):
if not settings.AUTH_REMOTEUSER_VISIBLE_IN_SWAGGER:
return {}
header_name = settings.AUTH_REMOTEUSER_USERNAME_HEADER
if header_name.startswith('HTTP_'):
header_name = header_name[5:]
⚠️ Potential Authn/Authz Function Used or Modified dojo/settings/settings.dist.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains several configuration options related to authentication, specifically the 'RemoteUser' authentication mechanism. The options include setting trusted proxy addresses, whether the 'RemoteUser' mechanism should only be used on the login page, and whether it should be visible in the Swagger documentation. These configuration options suggest that the code contains functions or mechanisms related to authentication and authorization.
File Name dojo/settings/settings.dist.py
Code Link

django-DefectDojo/dojo/settings/settings.dist.py

Lines 180 to 188 in eae3221

DD_AUTH_REMOTEUSER_TRUSTED_PROXY=(list, ['127.0.0.1/32']),
# REMOTE_USER will be processed only on login page. Check https://docs.djangoproject.com/en/3.2/howto/auth-remote-user/#using-remote-user-on-login-pages-only
DD_AUTH_REMOTEUSER_LOGIN_ONLY=(bool, False),
# `RemoteUser` is usually used behind AuthN proxy and users should not know about this mechanism from Swagger because it is not usable by users.
# It should be hidden by default.
DD_AUTH_REMOTEUSER_VISIBLE_IN_SWAGGER=(bool, False),
# if somebody is using own documentation how to use DefectDojo in his own company
DD_DOCUMENTATION_URL=(str, 'https://documentation.defectdojo.com'),
# merging findings doesn't always work well with dedupe and reimport etc.
⚠️ Potential Authn/Authz Function Used or Modified dojo/settings/settings.dist.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains several variables related to authentication and authorization, such as AUTH_REMOTEUSER_LASTNAME_HEADER, AUTH_REMOTEUSER_GROUPS_HEADER, AUTH_REMOTEUSER_GROUPS_CLEANUP, and AUTH_REMOTEUSER_VISIBLE_IN_SWAGGER. These variables suggest that the code is dealing with remote user authentication and authorization, potentially using headers or other mechanisms to identify and authorize users.
File Name dojo/settings/settings.dist.py
Code Link

django-DefectDojo/dojo/settings/settings.dist.py

Lines 1044 to 1050 in eae3221

AUTH_REMOTEUSER_LASTNAME_HEADER = env('DD_AUTH_REMOTEUSER_LASTNAME_HEADER')
AUTH_REMOTEUSER_GROUPS_HEADER = env('DD_AUTH_REMOTEUSER_GROUPS_HEADER')
AUTH_REMOTEUSER_GROUPS_CLEANUP = env('DD_AUTH_REMOTEUSER_GROUPS_CLEANUP')
AUTH_REMOTEUSER_VISIBLE_IN_SWAGGER = env('DD_AUTH_REMOTEUSER_VISIBLE_IN_SWAGGER')
AUTH_REMOTEUSER_TRUSTED_PROXY = IPSet()
for ip_range in env('DD_AUTH_REMOTEUSER_TRUSTED_PROXY'):
View more details on DryRunSecurity