Skip to content

[docs] Add Apollo script #13734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 20, 2025
Merged

[docs] Add Apollo script #13734

merged 2 commits into from
Nov 20, 2025

Conversation

@paulOsinski
Copy link
Contributor

@paulOsinski paulOsinski commented Nov 18, 2025

Adds Apollo JS to documentation (used by DD Inc)
@github-actions github-actions bot added the docs label Nov 18, 2025
@dryrunsecurity
Copy link

dryrunsecurity bot commented Nov 18, 2025
edited
Loading

DryRun Security

This pull request adds external JavaScript loads from static.reo.dev and assets.apollo.io in docs/layouts/_partials/head/script-header.html without Subresource Integrity (SRI) protection, creating a supply-chain risk where a compromise of those providers could lead to XSS or data theft (made worse by a dynamic nocache parameter that prevents a stable SRI hash). Consider adding SRI hashes where possible, avoiding dynamic cache-busting parameters for third‑party scripts, or self‑hosting/mitigating the dependency to reduce the risk.

Third-Party Script Inclusion / Supply Chain Risk in docs/layouts/_partials/head/script-header.html
Vulnerability Third-Party Script Inclusion / Supply Chain Risk
Description The code loads JavaScript from two external domains (static.reo.dev and assets.apollo.io) without Subresource Integrity (SRI) checks. This creates a supply chain risk. If either of these third-party services is compromised, malicious JavaScript could be executed on this site, leading to attacks like Cross-Site Scripting (XSS) or data theft. The dynamic nocache parameter for the Apollo script further complicates the use of static SRI hashes.

django-DefectDojo/docs/layouts/_partials/head/script-header.html

Lines 1 to 12 in 73492b8

<!-- Insert scripts NOT needed by stylesheets here -->
<!-- Start of Reo Javascript -->
<script type="text/javascript">
!function () { var e, t, n; e = "a92cfcfa51eca96", t = function () { Reo.init({ clientID: "a92cfcfa51eca96" }) }, (n = document.createElement("script")).src = "https://static.reo.dev/" + e + "/reo.js", n.async = !0, n.onload = t, document.head.appendChild(n) }();
</script>
<!-- End of Reo Javascript -->
<script>function initApollo() {
var n = Math.random().toString(36).substring(7), o = document.createElement("script");
o.src = "https://assets.apollo.io/micro/website-tracker/tracker.iife.js?nocache=" + n, o.async = !0, o.defer = !0,
o.onload = function () { window.trackingFunctions.onLoad({ appId: "68ffca00b8c4dc001de5fec3" }) },
document.head.appendChild(o)
} initApollo();</script>

All finding details can be found in the DryRun Security Dashboard.
mtesauro
mtesauro approved these changes Nov 18, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved
@valentijnscholten valentijnscholten added this to the 2.52.3 milestone Nov 19, 2025
@Maffooch Maffooch merged commit a85bbba into DefectDojo:bugfix Nov 20, 2025
151 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs

5 participants

@paulOsinski @mtesauro @valentijnscholten @Maffooch @Jino-T