feat(disclaimers): Split disclaimers

[kiblik]

Until now, all disclaimers have been the same which is not the best.

Now you can choose between:

• disclaimer_notifications
• disclaimer_reports

There is one more to inform users that they should not include any personal information in notes:

• disclaimer_notes

Plus if there is an internal policy to have a disclaimer in all reports, it is possible to use disclaimer_reports_forced to not allow users to be excluded it.

E.g.:

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the handling and display of disclaimers in the Defect Dojo application by introducing separate settings for notifications and reports, enhancing security through input sanitization, and updating templates to use more granular disclaimer controls.

Expand for full summary

Summary:

The code changes in this pull request are primarily focused on improving the handling and display of disclaimers in various parts of the Defect Dojo application, particularly in the context of notifications and reports. The key changes include:

1. Introducing separate settings for "disclaimer_notifications" and "disclaimer_reports" to allow for more granular control over the disclaimer content displayed in different parts of the application.
2. Updating the templates to use the new, more specific disclaimer settings instead of the generic "disclaimer" setting.
3. Ensuring that the disclaimer content is properly sanitized and escaped before being rendered in the templates to prevent potential security vulnerabilities, such as cross-site scripting (XSS).
4. Improving the handling of user-supplied input, such as finding descriptions and other data, to ensure that it is properly validated and sanitized before being displayed.
5. Enhancing the overall security and reliability of the notification and reporting functionality in the application.

Files Changed:

• dojo/db_migrations/0221_system_settings_disclaimer_notif.py: This database migration script copies the value of the "disclaimer_notifications" field from the "System_Settings" model to the "disclaimer_reports" field, following best practices for database migrations.
• docs/content/en/open_source/upgrading/2.43.md: This documentation update informs users about the changes to the "disclaimer" field, which has been renamed and split into three separate fields: "disclaimer_notifications", "disclaimer_reports", and "disclaimer_notes".
• dojo/db_migrations/0220_system_settings_disclaimer_notif.py: This database migration introduces new fields for "disclaimer_notifications", "disclaimer_reports", and "disclaimer_reports_forced", providing more granular control over the display of disclaimers.
• dojo/forms.py: The changes include improvements to the JIRA integration, finding groups, risk acceptance functionality, and the addition of a new survey feature.
• dojo/reports/views.py: The changes handle the inclusion of a disclaimer in various types of reports generated by the application.
• dojo/templates/dojo/custom_html_report.html: The changes introduce a new disclaimer section in the HTML report template, with a focus on proper input sanitization and accessibility considerations.
• dojo/templates/dojo/endpoint_pdf_report.html: The changes add the | safe filter to the {{ disclaimer }} variable to prevent potential cross-site scripting (XSS) vulnerabilities.
• dojo/models.py: The changes introduce new fields in the System_Settings model to handle custom disclaimers for notifications and reports.
• dojo/templates/dojo/finding_pdf_report.html: The changes add the | safe filter to the {{ disclaimer }} variable to prevent potential XSS vulnerabilities.
• dojo/templates/dojo/engagement_pdf_report.html: The changes add the | safe filter to the {{ disclaimer }} variable to prevent potential XSS vulnerabilities.
• dojo/templates/dojo/product_endpoint_pdf_report.html: The changes add the | safe filter to the {{ disclaimer }} variable to prevent potential XSS vulnerabilities.
• dojo/templates/dojo/product_pdf_report.html: The changes add the | safe filter to the {{ disclaimer }} variable to prevent potential XSS vulnerabilities.
• dojo/templates/dojo/findings_list_snippet.html: The changes introduce a disclaimer message in the bulk edit functionality.
• dojo/templates/dojo/form_fields.html: The changes add a new section to display a disclaimer if the form.disclaimer field is present.
• dojo/templates/dojo/product_type_pdf_report.html: The changes update the disclaimer handling to use the system_settings.disclaimer_notifications field.
• dojo/templates/notifications/alert/review_requested.tpl: The changes update the disclaimer handling to use the system_settings.disclaimer_notifications field.
• dojo/templates/notifications/mail/engagement_added.tpl: The changes update the disclaimer handling to use the system_settings.disclaimer_notifications field.
• dojo/templates/notifications/mail/product_added.tpl: The changes update the disclaimer handling to use the system_settings.disclaimer_notifications field.
• `dojo/templates/notifications/mail/other

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Cross-Site Scripting Analyzer	8 findings

Overall Riskiness

🟡 Please give this pull request extra attention during review.

View PR in the DryRun Dashboard.

[Maffooch]

This could be consolidated into the other migration

[kiblik]

I'm not sure I understand this comment

[Maffooch]

migrations 0220 and 0219 could be consolidated into the same plugin

[kiblik]

When (for any reason) RunPython fails, migration is not marked as done. You can try to rerun migrations when you fix the issue (it might be any issue). The problem is if RunPython is part of other migration steps (like RenameField, AddField, ...) that have been performed successfully. You can try to rerun migration but it will fail because you are not able to run the same RenameField or AddField.
RunPython is the most sensitive step failure.
Because of this, we agreed that in this project, we will always put RunPython to the separated migration.
Same as:

• Endpoint_status: Disable to set "endpoint" and "finding" to null #6192
• Finding group enhancements #6053
• Endpoint: Remove endpoint.mitigated field #5953

[Maffooch]

Ahh okay that makes sense! I'll keep this in mind going forward (for review and my own migrations)

Thanks for bringing the receipts 😄

[valentijnscholten]

I don't know how common this is, but it might affects users setting the disclaimer via the api. A little note in the upgrade notes? It also affects people who are using customized notification templates.

[mtesauro]

Approved