Skip to content

fix(helm): Empty string values propagated as strings (not as null) #13200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 19, 2025
Merged

fix(helm): Empty string values propagated as strings (not as null) #13200

merged 1 commit into from
Sep 19, 2025

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Sep 17, 2025

During more testing of the HELM chart with schema, I noticed a collision like

- at '/django/mediaPersistentVolume/persistentVolumeClaim/storageClassName': got string, want null

@github-actions github-actions bot added the helm label Sep 17, 2025
@kiblik kiblik force-pushed the helm_fix_empty_strings branch from 084c0c6 to d1d6837 Compare September 17, 2025 09:56
@kiblik kiblik marked this pull request as ready for review September 17, 2025 09:59
@dryrunsecurity
Copy link

dryrunsecurity bot commented Sep 17, 2025
edited
Loading

DryRun Security

This pull request introduces an insecure default configuration in the Helm chart (helm/defectdojo/values.yaml) by setting sensitive fields like admin.password, admin.secretKey, admin.credentialAes256Key, and admin.metricsHttpAuthPassword to empty strings. If deployed without overrides, this can produce blank credentials and missing cryptographic keys—allowing unauthorized access and compromising data integrity/confidentiality—while the chart does not enforce or auto-generate secure values.

Insecure Default Configuration in helm/defectdojo/values.yaml
Vulnerability Insecure Default Configuration
Description The Helm chart's values.yaml now defaults sensitive fields like admin.password, admin.secretKey, admin.credentialAes256Key, and admin.metricsHttpAuthPassword to empty strings. If a user deploys the chart without overriding these values, the application will be configured with blank or non-existent credentials and cryptographic keys. This leads to a highly insecure deployment, potentially allowing unauthorized access (due to an empty password) and compromising data integrity/confidentiality (due to empty secret/AES keys). The chart does not appear to enforce user-provided values or auto-generate secure ones when these are left empty.

django-DefectDojo/helm/defectdojo/values.yaml

Lines 124 to 136 in d1d6837

admin:
user: admin
password: ""
firstName: Administrator
lastName: User
mail: admin@defectdojo.local
secretKey: ""
credentialAes256Key: ""
metricsHttpAuthPassword: ""
monitoring:
enabled: false

All finding details can be found in the DryRun Security Dashboard.

@kiblik kiblik marked this pull request as draft September 17, 2025 10:01
@kiblik kiblik marked this pull request as ready for review September 17, 2025 11:51
mtesauro
mtesauro approved these changes Sep 18, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit cf62d26 into DefectDojo:dev Sep 19, 2025
87 checks passed
@kiblik kiblik deleted the helm_fix_empty_strings branch September 19, 2025 18:16
@valentijnscholten valentijnscholten added this to the 2.51.0 milestone Sep 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@rossops rossops rossops approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees

No one assigned

Labels

helm

Projects

None yet

Milestone

2.51.0

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @mtesauro @valentijnscholten @rossops @Maffooch