Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(oauth2): google oauth2 whitelisting. #11372

Merged
merged 4 commits into from
Dec 12, 2024

fix(oauth2): Fix google oauth2 whitelisting.

aad7948
Select commit
Loading
Failed to load commit list.
Merged

fix(oauth2): google oauth2 whitelisting. #11372

fix(oauth2): Fix google oauth2 whitelisting.
aad7948
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Authn/Authz Analyzer succeeded Dec 5, 2024 in 3s

DryRun Security

Details

Authn/Authz Analyzer Findings: 1 detected

⚠️ Potential Authn/Authz Function Used or Modified dojo/settings/settings.dist.py (click for details)
Type Potential Authn/Authz Function Used or Modified
Description "This code configures settings for Google OAuth2 authentication, including enabling the feature, setting the client ID and secret, and defining whitelisted domains and emails for authorized users. These settings directly impact the authentication mechanisms and access control logic of the application, making them relevant to sensitive authentication and authorization functionality."
Filename dojo/settings/settings.dist.py
CodeLink

django-DefectDojo/dojo/settings/settings.dist.py

Lines 543 to 550 in aad7948

GOOGLE_OAUTH_ENABLED = env("DD_SOCIAL_AUTH_GOOGLE_OAUTH2_ENABLED")
SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = env("DD_SOCIAL_AUTH_GOOGLE_OAUTH2_KEY")
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = env("DD_SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET")
SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS = tuple(env.list("DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS", default=[""]))
SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS = tuple(env.list("DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS", default=[""]))
SOCIAL_AUTH_LOGIN_ERROR_URL = "/login"
SOCIAL_AUTH_BACKEND_ERROR_URL = "/login"
View more details on DryRunSecurity