Inline finding images on reports

[dogboat]

Description

This patch extends file_images template to allow for inline-image generation. When called with format="INFLINE," instead of generating picture tokens and using those to retrieve images, images will be encoded as base64 and embedded directly into the report. It updates the Finding and Endpoint listing widgets to use inline images.

Looking for feedback on this implementation; the PR would target release 2.37.2 or later.

[sc-6857]

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the rendering of finding images in custom HTML reports for the Dojo application by introducing a new inline_image template filter, updating the file_images.html template to support an "INLINE" format, and modifying the custom_html_report_finding_list.html and custom_html_report_endpoint_list.html templates to use the "INLINE" format for displaying finding images.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the rendering of finding images in custom HTML reports for the Dojo application. The key changes include:

1. Introducing a new inline_image template filter in the display_tags.py module, which allows converting image files to base64-encoded data URIs for direct embedding in HTML.
2. Updating the file_images.html template to support an "INLINE" format for displaying finding images, in addition to the existing "HTML" format.
3. Modifying the custom_html_report_finding_list.html and custom_html_report_endpoint_list.html templates to use the "INLINE" format for displaying finding images.

From an application security perspective, these changes do not appear to introduce any obvious security vulnerabilities. The code is primarily focused on improving the user experience by providing an additional way to display finding images and ensuring that the image display is handled securely.

However, it's important to review the changes carefully to ensure that there are no indirect impacts on the application's security posture. This includes verifying that user-supplied input is properly sanitized, that sensitive information is not inadvertently exposed in the report, and that the report generation functionality does not introduce any other security risks, such as denial of service or file handling vulnerabilities.

Files Changed:

1. dojo/templates/dojo/snippets/file_images.html: This file has been updated to handle the new "INLINE" format for displaying finding images, in addition to the existing "HTML" format.
2. dojo/templates/dojo/custom_html_report_finding_list.html and dojo/templates/dojo/custom_html_report_endpoint_list.html: These files have been modified to use the "INLINE" format for displaying finding images in the custom HTML reports.
3. dojo/templatetags/display_tags.py: A new inline_image template filter has been added, which allows converting image files to base64-encoded data URIs for direct embedding in HTML.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved