Skip to content

fix(HELM): Improve autogeneration of annotation #13879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Maffooch merged 1 commit into from
Dec 15, 2025
Merged

fix(HELM): Improve autogeneration of annotation #13879

Maffooch merged 1 commit into from
Dec 15, 2025

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Dec 12, 2025

Avoid issue from #13856 + #13878

@kiblik kiblik marked this pull request as ready for review December 13, 2025 13:29
@dryrunsecurity
Copy link

dryrunsecurity bot commented Dec 13, 2025

DryRun Security

This pull request introduces a command injection risk in the GitHub Actions workflow (.github/workflows/test-helm-chart.yml): the PR title (user-controlled) is embedded in a single-quoted shell string for a yq command without proper handling of single quotes, and the sanitization explicitly excludes single-quote escaping, allowing an attacker to terminate the string and inject arbitrary shell commands.

Command Injection in .github/workflows/test-helm-chart.yml
Vulnerability Command Injection
Description The GitHub Actions workflow uses the pull request title, which is user-controlled, in a shell command without properly sanitizing single quotes. The title variable is used within a single-quoted string in the yq command. If the pull request title contains a single quote, it can prematurely terminate the single-quoted string, allowing an attacker to inject arbitrary shell commands. The existing sanitization loop explicitly excludes the single quote character, making this vulnerability exploitable.

django-DefectDojo/.github/workflows/test-helm-chart.yml

Lines 122 to 125 in a5e0eaf

yq -i '.annotations."artifacthub.io/changes" += "- kind: changed\n description: '$title'\n"' helm/defectdojo/Chart.yaml
git add helm/defectdojo/Chart.yaml
git commit -m "ci: update Chart annotations from PR #${{ github.event.pull_request.number }}" || echo "No changes to commit"

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.53.2 milestone Dec 13, 2025
mtesauro
mtesauro approved these changes Dec 15, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch requested a review from blakeaowens December 15, 2025 06:28
@Maffooch Maffooch merged commit 01b2a16 into DefectDojo:bugfix Dec 15, 2025
148 of 149 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@valentijnscholten valentijnscholten Awaiting requested review from valentijnscholten

@rossops rossops Awaiting requested review from rossops

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.53.2

Development

Successfully merging this pull request may close these issues.

6 participants

@kiblik @mtesauro @Maffooch @Jino-T @blakeaowens @valentijnscholten