Release: Merge release into master from: release/2.55.0#14230
Merged
Release: Merge release into master from: release/2.55.0#14230
Conversation
….0-dev Release: Merge back 2.54.0 into dev from: master-into-dev/2.54.0-2.55.0-dev
Bumps [django-polymorphic](https://github.com/jazzband/django-polymorphic) from 4.5.2 to 4.6.0. - [Release notes](https://github.com/jazzband/django-polymorphic/releases) - [Changelog](https://github.com/jazzband/django-polymorphic/blob/master/docs/changelog.rst) - [Commits](jazzband/django-polymorphic@v4.5.2...v4.6.0) --- updated-dependencies: - dependency-name: django-polymorphic dependency-version: 4.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* remove dojo_model_to/from_id decorator * remove dojo_model_from/to_id * remove dojo_model_from/to_id * remove dojo_model_from/to_id * remove dojo_model_from/to_id * fix tests * remove leftover signature methods * fix test counts * fix test counts * fix test counts * Update dojo/settings/settings.dist.py Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * fix test --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
* Revise README for Docker Compose V2 updates Updated README to reflect changes for Docker Compose V2 and removed outdated V1 instructions. * Revise demo links and installation options in README Updated demo environment description and installation options. * Fix Slack community link and improve wording Updated Slack community link and adjusted text for clarity. * Revise social media links and Slack community invitation Updated social media links and community invitation text. * Add files via upload * Update Slack logo link and Twitter image source * Update image sources in README.md * Fix image height in Community section of README * Add files via upload * Update image height in README.md * Revise community portal and Pro edition details Updated community engagement links and enhanced Pro edition description. * Fix formatting in installation options section * Update README.md * Update README.md --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Bumps [django-dbbackup](https://github.com/Archmonger/django-dbbackup) from 5.1.0 to 5.1.1. - [Release notes](https://github.com/Archmonger/django-dbbackup/releases) - [Changelog](https://github.com/Archmonger/django-dbbackup/blob/master/CHANGELOG.md) - [Commits](Archmonger/django-dbbackup@5.1.0...5.1.1) --- updated-dependencies: - dependency-name: django-dbbackup dependency-version: 5.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [django-polymorphic](https://github.com/jazzband/django-polymorphic) from 4.6.0 to 4.8.0. - [Release notes](https://github.com/jazzband/django-polymorphic/releases) - [Changelog](https://github.com/jazzband/django-polymorphic/blob/master/docs/changelog.rst) - [Commits](jazzband/django-polymorphic@v4.6.0...v4.8.0) --- updated-dependencies: - dependency-name: django-polymorphic dependency-version: 4.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….20.0 (docker-compose.override.dev.yml) (#14057) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.3.0 to 0.3.1. - [Release notes](https://github.com/bpampuch/pdfmake/releases) - [Changelog](https://github.com/bpampuch/pdfmake/blob/master/CHANGELOG.md) - [Commits](bpampuch/pdfmake@0.3.0...0.3.1) --- updated-dependencies: - dependency-name: pdfmake dependency-version: 0.3.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [celery[sqs]](https://github.com/celery/celery) from 5.6.1 to 5.6.2. - [Release notes](https://github.com/celery/celery/releases) - [Changelog](https://github.com/celery/celery/blob/main/Changelog.rst) - [Commits](celery/celery@v5.6.1...v5.6.2) --- updated-dependencies: - dependency-name: celery[sqs] dependency-version: 5.6.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…e.json) (#14053) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
….0-dev Release: Merge back 2.54.1 into dev from: master-into-dev/2.54.1-2.55.0-dev
…42.80.1 (.github/workflows/renovate.yaml) (#14070) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.3.1 to 0.3.2. - [Release notes](https://github.com/bpampuch/pdfmake/releases) - [Changelog](https://github.com/bpampuch/pdfmake/blob/master/CHANGELOG.md) - [Commits](bpampuch/pdfmake@0.3.1...0.3.2) --- updated-dependencies: - dependency-name: pdfmake dependency-version: 0.3.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ckerfile.integration-tests-debian) (#14083) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…test-helm-chart.yml) (#14084) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…lidate_docs_build.yml) (#14086) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…t.yaml) (#14099) * Update valkey Docker tag from 0.13.0 to v0.15.0 (helm/defectdojo/Chart.yaml) * update Helm documentation --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
…14091) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…lows/validate_docs_build.yml) (#14092) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [django-dbbackup](https://github.com/Archmonger/django-dbbackup) from 5.1.1 to 5.1.2. - [Release notes](https://github.com/Archmonger/django-dbbackup/releases) - [Changelog](https://github.com/Archmonger/django-dbbackup/blob/master/CHANGELOG.md) - [Commits](Archmonger/django-dbbackup@5.1.1...5.1.2) --- updated-dependencies: - dependency-name: django-dbbackup dependency-version: 5.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…github/workflows/cancel-outdated-workflow-runs.yml) (#14093) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
… from v1.1.1 to v2 (.github/workflows/renovate.yaml) (#14102) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ub/workflows/validate_docs_build.yml) (#14108) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…0 to v6.1.1 (.github/workflows/release-drafter.yml) (#14126) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.3.2 to 0.3.3. - [Release notes](https://github.com/bpampuch/pdfmake/releases) - [Changelog](https://github.com/bpampuch/pdfmake/blob/master/CHANGELOG.md) - [Commits](bpampuch/pdfmake@0.3.2...0.3.3) --- updated-dependencies: - dependency-name: pdfmake dependency-version: 0.3.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…b/workflows/k8s-tests.yml) (#14199) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* Include Trufflehog verified secret info in report * Revert title change * Pass verified flag to Finding object * Revert description change
) Bumps [jquery-ui](https://github.com/jquery/jquery-ui) from 1.14.1 to 1.14.2. - [Release notes](https://github.com/jquery/jquery-ui/releases) - [Commits](jquery/jquery-ui@1.14.1...1.14.2) --- updated-dependencies: - dependency-name: jquery-ui dependency-version: 1.14.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* update changelog headings * add nav highlight to header * init /get_started/ * add new top menu entries * move everything to a new directory * redesign header * dynamic colored logo * correct spacing * make a new menu * move all article content * mv remaining articles * make better search button * even better search button * update sectionNav and reorder articles * add glossary * add glossary text * add initial version switcher * adjust css adjust css make CSS nicer: color and top border remove flicker again * add version metadata to get_started articles * update walk partial to check single articles * finish get started content * finish setting up import content * inprogress - set up defectdojo structure * Create new docs for Metrics * fix &or remove all links * fix typo --------- Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com> Co-authored-by: dangoelz <dangoelz@gmail.com>
* locations: everything else * remove unnecessary todos * use proper field for location equal comparison * for pro proposition banner, use location count if v3 enabled * jira link updates * update view_finding, view_test templates and display_tags to look at import_settings locations * urls as unique * url uniqueness hash generation * rework url cleaning * update editing a product url to get/create * update or create url on form * fix edit/add endpoint views * update comment in settings re: endpoints as a hash code field * default skip_validation on basemodelwithouttimedelts#save to "not v3 enabled" * perf test updates
* fix broken header link * add release notes button * fetch latest in button * fix version select offset * fix xss vuln: escape HTML
Release 2.55.0: Merge Bugfix into Dev
github-actions
bot
requested review from
Maffooch and
mtesauro
as code owners
github-actions
bot
added
docker
New Migration
|
This pull request introduces multiple GitHub Actions security issues: an actions/checkout step that persists GITHUB_TOKEN when mounting the repo into test containers (allowing malicious PR code to exfiltrate the token), an input injection vulnerability in release-1-create-pr.yml where unvalidated release_number is interpolated into shell commands enabling command execution, and a logic-bypass in test-helm-chart.yml that trusts branch naming (github.head_ref) allowing attackers to run privileged steps and exploit a shell injection via the PR title.
CI/CD Hardening: GitHub Token Persistence Risk in
|
| Vulnerability | CI/CD Hardening: GitHub Token Persistence Risk |
|---|---|
| Description | The 'actions/checkout' step in the integration-tests.yml workflow (hunk 17) is used without the 'persist-credentials: false' option. By default, this action persists the GITHUB_TOKEN in the local .git/config file. This workflow subsequently executes integration tests by mounting the repository's root directory into Docker containers. Since these tests include Python scripts from the repository that can be modified by external contributors via Pull Requests, an attacker could submit a malicious PR that extracts the GITHUB_TOKEN from the mounted .git/config file. This risk is particularly notable as other similar test workflows in the same codebase (e.g., rest-framework-tests.yml, hunk 24) correctly implement 'persist-credentials: false', indicating an inconsistent security posture. |
django-DefectDojo/.github/workflows/integration-tests.yml
Lines 41 to 60 in 2895d41
Shell Injection: Unvalidated Input in Git Command in .github/workflows/release-1-create-pr.yml
| Vulnerability | Shell Injection: Unvalidated Input in Git Command |
|---|---|
| Description | The workflow .github/workflows/release-1-create-pr.yml is vulnerable to shell command injection via the release_number input. This input is directly interpolated into several shell commands in run steps using the ${{ inputs.release_number }} syntax. Because GitHub Actions expands these expressions before passing the command to the shell, an attacker can provide an input containing shell metacharacters (like ;, $(...), or ') to execute arbitrary commands. The 'Validate' steps also use the vulnerable input in an echo command and can be easily bypassed. This allows an attacker with write access to execute arbitrary code on the runner and potentially exfiltrate secrets or bypass branch protections. |
django-DefectDojo/.github/workflows/release-1-create-pr.yml
Lines 40 to 46 in 2895d41
CI/CD Logic Bypass: Insecure Pull Request Handling in .github/workflows/test-helm-chart.yml
| Vulnerability | CI/CD Logic Bypass: Insecure Pull Request Handling |
|---|---|
| Description | The workflow .github/workflows/test-helm-chart.yml uses the github.head_ref context variable in an if condition to determine whether to execute steps reserved for trusted bots (Renovate and Dependabot). Since github.head_ref is the name of the branch in the source repository (which can be an external fork), an attacker can spoof this value by naming their branch with a prefix like renovate/. This bypass allows an attacker to trigger the documentation update job, which contains a step ('Update values in HELM chart') vulnerable to shell command injection via the pull request title (${{ github.event.pull_request.title }}). Although the default GITHUB_TOKEN for pull requests from forks is read-only (mitigating unauthorized pushes to the base repository), the logic bypass enables arbitrary code execution on the GitHub Actions runner and the ability to skip mandatory linting checks (like the 'artifacthub.io/changes' annotation check). |
django-DefectDojo/.github/workflows/test-helm-chart.yml
Lines 133 to 136 in 2895d41
All finding details can be found in the DryRun Security Dashboard.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops