feat: add Remove from Finding bulk action on View Finding page

[valentijnscholten]

Summary

While working on #14660 I noticed the "delete" icon was missing from the endpoint bulk edit menu on the View Finding page.

• Add a Remove from Finding trash button next to the Bulk Edit dropdown on the View Finding page, allowing users to disassociate selected endpoints from a finding without deleting the endpoint objects themselves
• Non-V3 path (endpoint_status_bulk_update): when remove_from_finding is posted, delete the matching Endpoint_Status records for the selected endpoints
• V3/Locations path (finding_location_bulk_update): when remove_from_finding is posted, delete the matching LocationFindingReference records
• Both views already require Finding_Edit permission via @user_is_authorized; no additional permission check is needed
• The JS appends selected endpoint IDs and the remove_from_finding flag to the existing bulk_change_form before submitting, reusing the same form and URL as the bulk status update
• Add unit tests covering single removal, partial removal, multi-endpoint removal, Endpoint_Status cleanup, no-op without the flag, and redirect behaviour

[dryrunsecurity]

🟡 Please give this pull request extra attention during review.

This pull request introduces a DOM-based XSS risk: JavaScript builds HTML strings by concatenating checkbox element IDs into jQuery-created inputs (e.g., $('')) without escaping or validation, allowing a maliciously controlled id to break out of the attribute and inject arbitrary HTML/JS. The vulnerable code is in dojo/templates/dojo/view_finding.html (lines ~1480–1483) and should use safe DOM APIs or properly escape/validate IDs before insertion.

🟡 Potential Cross-Site Scripting in dojo/templates/dojo/view_finding.html (drs_d4ab1456)

Vulnerability

Potential Cross-Site Scripting

Description

The JavaScript concatenates checkbox element IDs directly into HTML strings used to create hidden input elements: $(''). If an attacker can control an element's id, they can inject characters that break out of the attribute context and add arbitrary HTML/JS, leading to DOM-based XSS. The code does not escape or otherwise validate the id before concatenation and uses innerHTML-like construction via jQuery HTML parser instead of safe DOM methods.

django-DefectDojo/dojo/templates/dojo/view_finding.html

Lines 1480 to 1483 in f7dba93

	var hidden_input = $('<input type="hidden" value="' + this.id + '" name="endpoints_to_update">');
	$('form#bulk_change_form').append(hidden_input);
	});
	$('form#bulk_change_form').append($('<input type="hidden" name="remove_from_finding" value="1">'));

---

Comment to provide feedback on these findings.

Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]

Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing

All finding details can be found in the DryRun Security Dashboard.

[dogboat]

Handy! This works, I just had some questions about the way the UI renders. Could be just my system tho.

[dogboat]

This is what it looks like to me, on both Chrome and Firefox (MacOS):

...which is weird, because you posted a screenshot that looks fantastic. Is it just me?

[dogboat]

Any chance we could have the click handler be on the entire button and not just the anchor? As it is now, I have to click the anchor content, which is a bit smaller than the button itself. When I was testing I hit the button but not the icon, which didn't trigger the action.

[valentijnscholten]

The screenshot is old and now I have an even newer one where the trash button looks the same as in other places, red on a grey background. Click handler adjusted, can't believe I didn't do that myself as I hate buttons not being clickable.

From another place in dojo the trash icon: