Release 2.53.0: Merge Bugfix into Dev #13801
Conversation
….53.0-dev Release: Merge back 2.52.3 into bugfix from: master-into-bugfix/2.52.3-2.53.0-dev
Signed-off-by: kiblik <[email protected]>
Remove unnecessary error logging for finding group status.
JIRA: add retry/rate limit support
Remove left over log statement
github-actions
bot
added
settings_changes
🔴 Risk threshold exceeded.This pull request modifies sensitive codepaths (dojo/jira_link/helper.py) and includes a GitHub Actions workflow that unsafely uses pull request titles in shell commands—allowing command injection—and exposes JIRA client settings configurable via env vars without enforced upper limits, which could lead to resource exhaustion.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/jira_link/helper.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Command Injection in GitHub Actions in .github/workflows/test-helm-chart.yml
| Vulnerability | Command Injection in GitHub Actions |
|---|---|
| Description | The GitHub Actions workflow directly uses the github.event.pull_request.title in a shell command. Although there's an attempt to sanitize the input by replacing certain characters, critical shell metacharacters such as $, backticks (`), and semicolons (;) are not included in the sanitization list. This allows an attacker to inject arbitrary shell commands by crafting a malicious pull request title, leading to command execution within the CI/CD runner. |
django-DefectDojo/.github/workflows/test-helm-chart.yml
Lines 122 to 125 in 83c54b1
Resource Exhaustion via JIRA Client Misconfiguration in dojo/jira_link/helper.py
| Vulnerability | Resource Exhaustion via JIRA Client Misconfiguration |
|---|---|
| Description | The JIRA client's max_retries and timeout settings are configurable via environment variables (DD_JIRA_MAX_RETRIES, DD_JIRA_CONNECT_TIMEOUT, DD_JIRA_READ_TIMEOUT). While default values are reasonable, the application does not enforce any maximum limits on these integer inputs. An administrator could set excessively high values, leading to prolonged blocking calls or numerous retry attempts against an unresponsive JIRA instance. This could exhaust application resources (CPU, memory, threads), causing a denial of service for DefectDojo. |
django-DefectDojo/dojo/jira_link/helper.py
Lines 441 to 442 in 83c54b1
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
|
@kiblik Can you take a look at the failing lint helm chart test for this PR? https://github.com/DefectDojo/django-DefectDojo/actions/runs/19829442254/job/56811361081?pr=13801 If im interpreting it correctly, it looks like it fails if there are no differences between the two merging branches for the chart, which would be a valid condition. |
4 participants
No description provided.