Skip to content

fix(helm): Avoid forbidden chars in annotation #13772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: bugfix
Choose a base branch
from
Open

fix(helm): Avoid forbidden chars in annotation #13772

wants to merge 1 commit into from

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Nov 24, 2025

@kiblik
fix(helm): Avoid forbidden chars in annotation
99e24c4 
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
This was referenced Nov 24, 2025
Open
Open
@dryrunsecurity
Copy link

dryrunsecurity bot commented Nov 24, 2025

DryRun Security

This pull request contains a command-injection risk in the GitHub Actions workflow (.github/workflows/test-helm-chart.yml): the PR title is incompletely sanitized before being used in a shell command, allowing an attacker to include metacharacters (e.g., ;, `, $, quotes, parentheses) in a title to execute arbitrary commands in the runner (e.g., "test; echo pwned").

Command Injection in .github/workflows/test-helm-chart.yml
Vulnerability Command Injection
Description The GitHub Actions workflow attempts to sanitize the pull request title before using it in a shell command. However, the sanitization is incomplete, as it does not remove critical shell metacharacters such as spaces, single quotes, double quotes, backslashes, dollar signs, parentheses, semicolons, or backticks. An attacker can craft a malicious pull request title containing these characters to inject arbitrary shell commands, which will be executed by the yq command within the GitHub Actions runner. For example, a title like test; echo pwned would execute echo pwned.

django-DefectDojo/.github/workflows/test-helm-chart.yml

Lines 122 to 125 in 99e24c4

yq -i '.annotations."artifacthub.io/changes" += "- kind: changed\n description: $title\n"' helm/defectdojo/Chart.yaml
git add helm/defectdojo/Chart.yaml
git commit -m "ci: update Chart annotations from PR #${{ github.event.pull_request.number }}" || echo "No changes to commit"

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.53.0 milestone Nov 24, 2025
mtesauro
mtesauro approved these changes Nov 25, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.53.0

Development

Successfully merging this pull request may close these issues.

3 participants

@kiblik @mtesauro @valentijnscholten