Skip to content

fix(helm): Fix checker of HELM chart change #13310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 7, 2025
Merged

fix(helm): Fix checker of HELM chart change #13310

merged 1 commit into from
Oct 7, 2025

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Oct 3, 2025
edited
Loading

The annotation checker has not been working properly.

@github-actions github-actions bot added the helm label Oct 3, 2025
@kiblik kiblik force-pushed the helm_fix_changes_checker branch 10 times, most recently from 1b4710c to 08f0d6a Compare October 5, 2025 10:42
@github-actions github-actions bot removed the helm label Oct 5, 2025
@kiblik kiblik force-pushed the helm_fix_changes_checker branch from 08f0d6a to c4c0e10 Compare October 5, 2025 10:43
@kiblik kiblik marked this pull request as ready for review October 5, 2025 10:44
@kiblik kiblik force-pushed the helm_fix_changes_checker branch from c4c0e10 to c4dd39e Compare October 5, 2025 10:44
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 5, 2025
edited
Loading

DryRun Security

This pull request introduces a GitHub Actions workflow that constructs and runs a shell command using the env.ct-branch environment variable (via git show), which could allow command injection if an attacker can control the branch name—potentially enabling remote code execution in the Actions runner. The issue appears in .github/workflows/test-helm-chart.yml (lines 83–86) and should be fixed by avoiding direct shell interpolation of untrusted branch names (e.g., use safe argument passing or sanitize/validate the variable).

Command Injection in GitHub Actions Workflow in .github/workflows/test-helm-chart.yml
Vulnerability Command Injection in GitHub Actions Workflow
Description The git show command within the GitHub Actions workflow constructs a shell command using the env.ct-branch environment variable. If an attacker can control the value of env.ct-branch (e.g., by naming a branch maliciously in a pull request), they could inject arbitrary shell commands. This could lead to remote code execution within the GitHub Actions runner environment.

django-DefectDojo/.github/workflows/test-helm-chart.yml

Lines 83 to 86 in c4dd39e

target_annotation=$(git show "origin/${{ env.ct-branch }}:helm/defectdojo/Chart.yaml" | yq e '.annotations."artifacthub.io/changes"' -)
if [[ "$current_annotation" == "$target_annotation" ]]; then
echo "::error::The HELM chart has been updated but the 'artifacthub.io/changes' annotation in 'Chart.yaml' has not been changed (compared to '${{ env.ct-branch }}' branch)"

All finding details can be found in the DryRun Security Dashboard.

mtesauro
mtesauro approved these changes Oct 6, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro requested a review from rossops October 6, 2025 02:05
@Maffooch Maffooch merged commit 2da05de into DefectDojo:dev Oct 7, 2025
148 checks passed
@kiblik kiblik deleted the helm_fix_changes_checker branch October 7, 2025 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@rossops rossops rossops approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @mtesauro @valentijnscholten @rossops @Maffooch