Fixes pentest issue DG25-11 from 2025-09-02 #1593
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filipslezaklab
approved these changes
Sep 19, 2025
j-chmielewski
added a commit
that referenced
this pull request
Sep 24, 2025
* fix password reset grpc sending unparsed user agent (#1546) Co-authored-by: Filip Ślęzak <[email protected]> * Fixes pentest issue DG25-10 from 2025-09-02 (#1579) * validate phone number during enrollment * also check phone numbers in core API endpoints * Do not display sensitive data from protos (#1580) * Don't send empty strings when phone number is not provided (#1583) * don't send empty strings when phone number is not providecleand * use zod trim() instead of trimObjectStrings helper * Fixes pentest issue DG25-17 from 2025-09-02 (#1581) * fix open redirect pentest issue * add tests and handling of get requests, allow redirects if url is allowed for the client * compare the whole url, not just domain * cargo clippy fixes * wip fix openid flow tests * fix panic in the contains_redirect_url method * cleanup eprintln statements * bring back the other openid flow test * state-based fallback url in openid test * ensure openid client names don't contain HTML (#1587) * ensure login responses don't allow login enumeration (#1588) * Fixes pentest issue DG25-24 from 2025-09-02 (#1585) * put mail handler into a separate crate (#1590) * put random & secret modules into a common crate * move DB setup code to common crate * move version to common crate * move id types to common crate * move AuthCode model into common crate * move auth key model * move biometric auth model * move device login model * remove unnecessary feature flags * move global value macro * move model error * move server config * move hex module * move protos to a separate crate * put mailer into a separate crate * update query data * remove commented out code * add new crates * update flake inputs * move AsCsv trait * fix failing test * move claims struct * Cleanup and revive OpenID login test (#1591) * use default subject as fallback (#1593) * Fixes pentest issue DG25-25 and DG25-20 from 2025-09-02 (#1574) * Fixes pentest issue DG25-32 from 2025-09-02 (#1597) * custom Debug implementation for Settings struct to avoid exposing license key in logs * cargo update * fix document links (#1599) * fix links in readme * fix frontend links * bump version to 1.5.1 * sanitize branch name for docker cache * don't log settings during partial update * cargo fmt --------- Co-authored-by: Aleksander <[email protected]> Co-authored-by: Maciej Wójcik <[email protected]> Co-authored-by: Maciek <[email protected]> Co-authored-by: Filip Ślęzak <[email protected]> Co-authored-by: Adam <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request fixes vulnerabilities from penetration tests done by our security team on 2025-09-02:
title: Improper handling of user-provided input leads to panic
ID: DG25-11
raport details: https://defguard.net/pentesting/
Fall back to default enrollment email subject if it is somehow None. The field itself is indeed nullable, but it gets initialized on system startup so the issue would not occur under normal circumstances.
Closes #1552