Skip to content

feat(helm): Make release commits more verbose #13367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 9, 2025
Merged

feat(helm): Make release commits more verbose #13367

merged 1 commit into from
Oct 9, 2025

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Oct 7, 2025

During the investigation, it is quite easy to get lost in many commits with the same comments.
This should make navigation easier.

@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 7, 2025

DryRun Security

This pull request introduces a GitHub Actions workflow that uses the unsanitized inputs.release_number directly inside a git commit shell command, creating a command-injection risk where a crafted release_number with shell metacharacters could execute arbitrary commands on the workflow runner. The issue appears in .github/workflows/release-x-manual-helm-chart.yml (lines 120–121) and should be mitigated by properly validating or shell-escaping the input (or using safer GitHub Actions/CLI APIs).

Command Injection in Git Commit in .github/workflows/release-x-manual-helm-chart.yml
Vulnerability Command Injection in Git Commit
Description The GitHub Actions workflow uses the inputs.release_number variable directly within a git commit command without proper sanitization. GitHub Actions expressions (${{...}}) are evaluated before the shell command is executed, and the resulting string is inserted directly into the shell command. This means that if a malicious actor with write access to the repository provides a crafted release_number input containing shell metacharacters (e.g., ;, &&, , `$()`, ` ``), they can inject and execute arbitrary commands on the workflow runner. This could lead to unauthorized command execution, data exfiltration, or repository corruption.

django-DefectDojo/.github/workflows/release-x-manual-helm-chart.yml

Lines 120 to 121 in cb5e9d2

git commit -m "Update index.yaml - ${{ inputs.release_number }}"
git push -u origin helm-charts

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch requested review from Jino-T and rossops October 7, 2025 18:04
mtesauro
mtesauro approved these changes Oct 7, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten added this to the 2.51.1 milestone Oct 8, 2025
@mtesauro mtesauro merged commit 3eb4e36 into DefectDojo:bugfix Oct 9, 2025
147 checks passed
@kiblik kiblik deleted the helm_verbose_com branch October 9, 2025 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@rossops rossops rossops approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Awaiting requested review from Jino-T

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.51.1

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @mtesauro @valentijnscholten @rossops @Maffooch