Skip to content

fix(HELM): Add "artifacthub.io/changes" for renovate & dependabot #13520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 27, 2025
Merged

fix(HELM): Add "artifacthub.io/changes" for renovate & dependabot #13520

merged 1 commit into from
Oct 27, 2025

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Oct 23, 2025
edited
Loading

@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 23, 2025

DryRun Security

This pull request contains a command injection vulnerability in the GitHub Actions workflow (.github/workflows/test-helm-chart.yml) where github.event.pull_request.title is interpolated into a shell run step and a malicious PR title with a single quote can break out of the quoted string to execute arbitrary commands on the runner; the existing if-condition does not reliably mitigate this because an attacker can craft a branch name from a fork to meet it. Fix by properly sanitizing or avoiding direct shell interpolation (use safe inputs, environment variables, or GitHub Actions toolkit commands).

Command Injection in GitHub Actions in .github/workflows/test-helm-chart.yml
Vulnerability Command Injection in GitHub Actions
Description The GitHub Actions workflow directly interpolates github.event.pull_request.title into a shell command within a run step. Although the string is single-quoted, a malicious pull request title containing a single quote character (') can break out of the quoted string, allowing an attacker to inject and execute arbitrary shell commands on the GitHub Actions runner. The if condition does not prevent exploitation, as an attacker can create a PR from a forked repository with a branch name matching the condition (e.g., renovate/malicious-branch).

django-DefectDojo/.github/workflows/test-helm-chart.yml

Lines 106 to 109 in f984d64

yq -i '.annotations."artifacthub.io/changes" += "- kind: changed\n description: ${{ github.event.pull_request.title }}\n"' helm/defectdojo/Chart.yaml
- name: Run helm-docs (update)
uses: losisin/helm-docs-github-action@a57fae5676e4c55a228ea654a1bcaec8dd3cf5b5 # v1.6.2

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.51.3 milestone Oct 23, 2025
mtesauro
mtesauro approved these changes Oct 26, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten merged commit 3881936 into DefectDojo:bugfix Oct 27, 2025
148 checks passed
@kiblik kiblik deleted the helm_update_renovate branch October 27, 2025 17:19
This was referenced Oct 27, 2025
Closed
Closed
@valentijnscholten valentijnscholten modified the milestones: 2.51.3, 2.52.0 Oct 27, 2025
kiblik added a commit to kiblik/django-DefectDojo that referenced this pull request Nov 4, 2025
@kiblik
fix(helm/dependabot/renovate): Fix broken automatic update (DefectDoj…
33e62d2 
…o#13520, DefectDojo#13530, DefectDojo#13612)
@kiblik kiblik mentioned this pull request Nov 4, 2025
Merged
kiblik added a commit to kiblik/django-DefectDojo that referenced this pull request Nov 4, 2025
@kiblik
fix(helm/dependabot/renovate): Fix broken automatic update (DefectDoj…
7957037 
…o#13520, DefectDojo#13530, DefectDojo#13612)

Signed-off-by: kiblik <[email protected]>
kiblik added a commit to kiblik/django-DefectDojo that referenced this pull request Nov 4, 2025
@kiblik
fix(helm/dependabot/renovate): Fix broken automatic update (DefectDoj…
79d1605 
…o#13520, DefectDojo#13530, DefectDojo#13612)

Signed-off-by: kiblik <[email protected]>
kiblik added a commit to kiblik/django-DefectDojo that referenced this pull request Nov 4, 2025
@kiblik
fix(helm/dependabot/renovate): Fix broken automatic update (DefectDoj…
945f589 
…o#13520, DefectDojo#13530, DefectDojo#13612)

Signed-off-by: kiblik <[email protected]>
kiblik added a commit to kiblik/django-DefectDojo that referenced this pull request Nov 4, 2025
@kiblik
fix(helm/dependabot/renovate): Fix broken automatic update (DefectDoj…
218e263 
…o#13520, DefectDojo#13530, DefectDojo#13612)

Signed-off-by: kiblik <[email protected]>
valentijnscholten pushed a commit that referenced this pull request Nov 6, 2025
@kiblik
fix(helm/dependabot/renovate): Fix broken automatic update (#13520, #…
66b7334 
…13530, #13612) (#13613)

Signed-off-by: kiblik <[email protected]>
@kiblik kiblik mentioned this pull request Nov 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@rossops rossops Awaiting requested review from rossops

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.52.0

Development

Successfully merging this pull request may close these issues.

6 participants

@kiblik @mtesauro @Maffooch @Jino-T @blakeaowens @valentijnscholten