Skip to content

Advance OIDC to enable groups mapping#13489

Closed
manuel-sommer wants to merge 17 commits intoDefectDojo:devfrom
manuel-sommer:implement_oidc_groups
Closed

Advance OIDC to enable groups mapping#13489
manuel-sommer wants to merge 17 commits intoDefectDojo:devfrom
manuel-sommer:implement_oidc_groups

Conversation

@manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented Oct 21, 2025
edited
Loading

  • Implement OIDC groups to be parsed.
  • Added Unittests for update_oidc_groups and update_azure_groups

@github-actions github-actions bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Oct 21, 2025
@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. unittests labels Oct 30, 2025
@manuel-sommer manuel-sommer marked this pull request as ready for review October 31, 2025 06:47
@github-actions github-actions bot added the docs label Oct 31, 2025
@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 31, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request modifies multiple sensitive codepaths (dojo/pipeline.py, dojo/models.py, dojo/group/utils.py, and a DB migration) flagged for sensitive edits and requiring verification against .dryrunsecurity.yaml, and it also introduces a potential ReDoS risk by using the admin-configurable settings.OIDC_GROUPS_FILTER directly in re.search without validation or timeout. Reviewers should confirm allowed authors/paths in .dryrunsecurity.yaml and validate or safely handle the OIDC regex to mitigate catastrophic backtracking.

🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/models.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/db_migrations/0252_alter_dojo_group_social_provider.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/group/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/models.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/group/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/pipeline.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/group/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Regular Expression Denial of Service (ReDoS) in dojo/pipeline.py
Vulnerability Regular Expression Denial of Service (ReDoS)
Description The function uses a user-configurable setting, settings.OIDC_GROUPS_FILTER, directly as a regular expression pattern in re.search(). There is no validation on the complexity of this pattern, nor is there a timeout mechanism. If an administrator configures a vulnerable regex (e.g., one susceptible to catastrophic backtracking), an attacker who can influence the group names returned by the OIDC provider could trigger a Denial of Service.

django-DefectDojo/dojo/pipeline.py

Lines 122 to 125 in 94d7f89

if group_filter and not re.search(group_filter, group_name):
logger.debug(f"Skipping group '{group_name}' due to OIDC_GROUPS_FILTER: {group_filter}")
continue
filtered_group_names.append(group_name)

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Oct 31, 2025

@valentijnscholten could you please take a look here?

@manuel-sommer manuel-sommer changed the title Implement OIDC groups mapping Advance OIDC to enable groups mapping Nov 4, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 17, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@manuel-sommer manuel-sommer changed the base branch from bugfix to dev December 17, 2025 10:31
@runderwoodcr14
Copy link
Contributor

runderwoodcr14 commented Jan 13, 2026

This feature is really needed, I think will make a great leap towards Cloud Native using CNCF landscape

@quirinziessler
Copy link
Contributor

quirinziessler commented Jan 20, 2026

Is there any update on this? When can I expect being this being part of the main versions? Checking out the branch it works without issues. Would appreciate this getting merged soon and really making use of DD's IdP integration.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2026

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@devGregA
Copy link
Contributor

devGregA commented Feb 9, 2026

Hi @manuel-sommer, sorry for the delay here. Thank you for your pull request and contributions to Dojo.

@mtesauro and @Maffooch pinged me on this one a while ago, so totally my fault for the delay. After considering for quite some time, I’m of the opinion a feature like this isn’t something we should be maintaining in OS for several reasons:

  1. We can’t reasonably maintain tests and functionality around this feature. One area DefectDojo shines and we regularly get constant positive feedback on is the feature set we have works as advertised. Maintaining test coverage, accounts around this feature, etc, would be a major burden for our project maintainers.

  2. Maintaining this feature would essentially be subsidizing enterprises that can afford to support DefectDojo and be a Pro customer. One of the things we’re always trying to balance is OS vs Pro. If we don’t generate enough biz, we can’t maintain open source. If a company is large enough to use SSO with groups, it seems reasonable they should be on Pro, which in turn helps us to maintain open source, rather than making it more difficult to maintain as outlined in 1.

@devGregA devGregA closed this Feb 9, 2026
@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Feb 10, 2026

Hi @devGregA ,
would this PR be accepted if I remove the update_oidc_groups method? So, just the OIDC migration?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

conflicts-detected docs New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@manuel-sommer @runderwoodcr14 @quirinziessler @devGregA

Comments