Skip to content

fix(helm): Avoid forbidden chars in annotation#13772

Merged
mtesauro merged 1 commit intoDefectDojo:bugfixfrom
kiblik:helm_fix_annot
Nov 29, 2025
Merged

fix(helm): Avoid forbidden chars in annotation#13772
mtesauro merged 1 commit intoDefectDojo:bugfixfrom
kiblik:helm_fix_annot

Conversation

@kiblik
Copy link
Copy Markdown
Contributor

@kiblik kiblik commented Nov 24, 2025

@kiblik
fix(helm): Avoid forbidden chars in annotation
99e24c4 
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
This was referenced Nov 24, 2025
Merged
Merged
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Nov 24, 2025

DryRun Security

This pull request contains a command-injection risk in the GitHub Actions workflow (.github/workflows/test-helm-chart.yml): the PR title is incompletely sanitized before being used in a shell command, allowing an attacker to include metacharacters (e.g., ;, `, $, quotes, parentheses) in a title to execute arbitrary commands in the runner (e.g., "test; echo pwned").

Command Injection in .github/workflows/test-helm-chart.yml
Vulnerability Command Injection
Description The GitHub Actions workflow attempts to sanitize the pull request title before using it in a shell command. However, the sanitization is incomplete, as it does not remove critical shell metacharacters such as spaces, single quotes, double quotes, backslashes, dollar signs, parentheses, semicolons, or backticks. An attacker can craft a malicious pull request title containing these characters to inject arbitrary shell commands, which will be executed by the yq command within the GitHub Actions runner. For example, a title like test; echo pwned would execute echo pwned.

django-DefectDojo/.github/workflows/test-helm-chart.yml

Lines 122 to 125 in 99e24c4

yq -i '.annotations."artifacthub.io/changes" += "- kind: changed\n description: $title\n"' helm/defectdojo/Chart.yaml
git add helm/defectdojo/Chart.yaml
git commit -m "ci: update Chart annotations from PR #${{ github.event.pull_request.number }}" || echo "No changes to commit"

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.53.0 milestone Nov 24, 2025
mtesauro
mtesauro approved these changes Nov 25, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit c69eb0e into DefectDojo:bugfix Nov 29, 2025
149 checks passed
@kiblik kiblik deleted the helm_fix_annot branch November 29, 2025 09:10
Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@kiblik
fix(helm): Avoid forbidden chars in annotation (DefectDojo#13772)
8be24f9 
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@rossops rossops Awaiting requested review from rossops

@Jino-T Jino-T Awaiting requested review from Jino-T

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.53.0

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @mtesauro @valentijnscholten @Maffooch @blakeaowens