Vendoring bitnami charts/images

[rossops]

Description

Vendoring the bitnami charts and images. This is a temporary change until we can identify and test a better solution. A public repo has been setup to hold the images.

Test results

1. Installed from scratch into minikube.
2. Upgraded existing version (no changes to volumes noted).
3. Ensured images can be pulled as a public user.

The changes made to the charts were in values.yaml. Ex:
https://github.com/DefectDojo/django-DefectDojo/compare/bugfix...ree/vendor_bitnami?expand=1#diff-b14ee6d8b279a42c87a5f60470bfd6ed367a58c6222e37eef94ba07749e140f6R123

There was also a change in values.yaml to allow insecure images.

Other than that, these charts are identical to the ones on bitnami today. I chose to post the charts uncompressed as best practice and for transparency.

[dryrunsecurity]

This pull request reveals multiple security findings in the Helm chart and CI/CD workflow, including potential information disclosure through logs and error messages, a Server-Side Template Injection vulnerability, insecure image usage settings, and weak random password generation, which could expose internal infrastructure details and create opportunities for reconnaissance or unauthorized access.

Information Disclosure in CI/CD Logs in .github/workflows/k8s-tests.yml

Vulnerability

Information Disclosure in CI/CD Logs

Description

The CI/CD workflow in .github/workflows/k8s-tests.yml is being modified to include kubectl logs, kubectl get events, and kubectl describe pvc. These commands output operational data, cluster topology, and application logs into the GitHub Actions logs. If the repository is public, these logs are also public, leading to information disclosure of internal infrastructure details and potentially sensitive application data.

django-DefectDojo/.github/workflows/k8s-tests.yml

Lines 98 to 106 in 91c17c3

	kubectl get all,ingress # all = pods, services, deployments, replicasets, statefulsets, jobs
	helm status defectdojo
	helm history defectdojo
	kubectl get events --sort-by=.metadata.creationTimestamp
	kubectl describe pvc data-defectdojo-postgresql-0
	kubectl logs pod/defectdojo-postgresql-0 --all-containers --tail=100 --prefix
	- name: Check Application
	timeout-minutes: 10

Server-Side Template Injection (SSTI) in helm/defectdojo/charts/postgresql/charts/common/templates/_tplvalues.tpl

Vulnerability

Server-Side Template Injection (SSTI)

Description

The common.tplvalues.render helper function, used in various parts of the Helm chart including common.labels.matchLabels and common.images.renderPullSecrets, directly processes user-supplied input from values.yaml (e.g., .Values.podLabels, .Values.global.imagePullSecrets) using the tpl function. This allows an attacker to inject arbitrary Go template syntax, leading to Server-Side Template Injection.

django-DefectDojo/helm/defectdojo/charts/postgresql/charts/common/templates/_tplvalues.tpl

Lines 1 to 52 in 91c17c3

	{{/*
	Copyright Broadcom, Inc. All Rights Reserved.
	SPDX-License-Identifier: APACHE-2.0
	*/}}
	{{/* vim: set filetype=mustache: */}}
	{{/*
	Renders a value that contains template perhaps with scope if the scope is present.
	Usage:
	{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }}
	{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
	*/}}
	{{- define "common.tplvalues.render" -}}
	{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
	{{- if contains "{{" (toJson .value) }}
	{{- if .scope }}
	{{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
	{{- else }}
	{{- tpl $value .context }}
	{{- end }}
	{{- else }}
	{{- $value }}
	{{- end }}
	{{- end -}}
	{{/*
	Merge a list of values that contains template after rendering them.
	Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge
	Usage:
	{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
	*/}}
	{{- define "common.tplvalues.merge" -}}
	{{- $dst := dict -}}
	{{- range .values -}}
	{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}}
	{{- end -}}
	{{ $dst | toYaml }}
	{{- end -}}
	{{/*
	Merge a list of values that contains template after rendering them.
	Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite
	Usage:
	{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
	*/}}
	{{- define "common.tplvalues.merge-overwrite" -}}
	{{- $dst := dict -}}
	{{- range .values -}}
	{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}}
	{{- end -}}
	{{ $dst | toYaml }}
	{{- end -}}

Information Disclosure via Error Messages in helm/defectdojo/charts/postgresql/charts/common/templates/_errors.tpl

Vulnerability

Information Disclosure via Error Messages

Description

The Helm chart's error messages for missing passwords disclose the Kubernetes secret names and the specific key names within those secrets. This information is generated by the common.validations.values.single.empty and common.utils.secret.getvalue templates, which are called by common.errors.upgrade.passwords.empty. The error message also provides a kubectl get secret command that explicitly includes the secret name and field name.

django-DefectDojo/helm/defectdojo/charts/postgresql/charts/common/templates/_errors.tpl

Lines 1 to 92 in 91c17c3

	{{/*
	Copyright Broadcom, Inc. All Rights Reserved.
	SPDX-License-Identifier: APACHE-2.0
	*/}}
	{{/* vim: set filetype=mustache: */}}
	{{/*
	Throw error when upgrading using empty passwords values that must not be empty.
	Usage:
	{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
	{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
	{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
	Required password params:
	- validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
	- context - Context - Required. Parent context.
	*/}}
	{{- define "common.errors.upgrade.passwords.empty" -}}
	{{- $validationErrors := join "" .validationErrors -}}
	{{- if and $validationErrors .context.Release.IsUpgrade -}}
	{{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
	{{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
	{{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
	{{- $errorString = print $errorString "\n%s" -}}
	{{- printf $errorString $validationErrors | fail -}}
	{{- end -}}
	{{- end -}}
	{{/*
	Throw error when original container images are replaced.
	The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case,
	a warning message will be shown instead.
	Usage:
	{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }}
	*/}}
	{{- define "common.errors.insecureImages" -}}
	{{- $relocatedImages := list -}}
	{{- $replacedImages := list -}}
	{{- $bitnamiLegacyImages := list -}}
	{{- $retaggedImages := list -}}
	{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}}
	{{- $originalImages := .context.Chart.Annotations.images -}}
	{{- range .images -}}
	{{- $registryName := default .registry $globalRegistry -}}
	{{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}}
	{{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}}
	{{- if not (contains $fullImageNameNoTag $originalImages) -}}
	{{- if not (contains $registryName $originalImages) -}}
	{{- $relocatedImages = append $relocatedImages $fullImageName -}}
	{{- else if not (contains .repository $originalImages) -}}
	{{- $replacedImages = append $replacedImages $fullImageName -}}
	{{- if contains "docker.io/bitnamilegacy/" $fullImageNameNoTag -}}
	{{- $bitnamiLegacyImages = append $bitnamiLegacyImages $fullImageName -}}
	{{- end -}}
	{{- end -}}
	{{- end -}}
	{{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}}
	{{- $retaggedImages = append $retaggedImages $fullImageName -}}
	{{- end -}}
	{{- end -}}
	{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}}
	{{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}}
	{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}}
	{{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}}
	{{- $errorString = print $errorString "\n\nUnrecognized images:" -}}
	{{- range (concat $relocatedImages $replacedImages) -}}
	{{- $errorString = print $errorString "\n - " . -}}
	{{- end -}}
	{{- if and (eq (len $relocatedImages) 0) (eq (len $replacedImages) (len $bitnamiLegacyImages)) -}}
	{{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
	{{- print $errorString -}}
	{{- else if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) (contains "docker.io/bitnamisecure/" $originalImages) -}}
	{{- $errorString = print "\n\n⚠ ERROR: " $errorString -}}
	{{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}}
	{{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}}
	{{- print $errorString | fail -}}
	{{- else if gt (len $replacedImages) 0 -}}
	{{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
	{{- print $errorString -}}
	{{- end -}}
	{{- else if gt (len $retaggedImages) 0 -}}
	{{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting original image tags could cause unexpected behavior." -}}
	{{- $warnString = print $warnString "\n\nRetagged images:" -}}
	{{- range $retaggedImages -}}
	{{- $warnString = print $warnString "\n - " . -}}
	{{- end -}}
	{{- print $warnString -}}
	{{- end -}}
	{{- end -}}

Potential for Insecure Image Usage Bypass in helm/defectdojo/charts/postgresql/charts/common/templates/_errors.tpl

Vulnerability

Potential for Insecure Image Usage Bypass

Description

The global.security.allowInsecureImages flag is set to true by default in the helm/defectdojo/charts/postgresql/values.yaml file. This setting, when active, downgrades the common.errors.insecureImages template's behavior from a deployment-blocking error to a warning if non-standard or unverified container images are used for the PostgreSQL component. This weakens the supply chain security posture by allowing potentially vulnerable or malicious PostgreSQL images to be deployed without a hard stop, relying solely on a warning that could be overlooked.

django-DefectDojo/helm/defectdojo/charts/postgresql/charts/common/templates/_errors.tpl

Lines 1 to 92 in 91c17c3

	{{/*
	Copyright Broadcom, Inc. All Rights Reserved.
	SPDX-License-Identifier: APACHE-2.0
	*/}}
	{{/* vim: set filetype=mustache: */}}
	{{/*
	Throw error when upgrading using empty passwords values that must not be empty.
	Usage:
	{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
	{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
	{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
	Required password params:
	- validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
	- context - Context - Required. Parent context.
	*/}}
	{{- define "common.errors.upgrade.passwords.empty" -}}
	{{- $validationErrors := join "" .validationErrors -}}
	{{- if and $validationErrors .context.Release.IsUpgrade -}}
	{{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
	{{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
	{{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
	{{- $errorString = print $errorString "\n%s" -}}
	{{- printf $errorString $validationErrors | fail -}}
	{{- end -}}
	{{- end -}}
	{{/*
	Throw error when original container images are replaced.
	The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case,
	a warning message will be shown instead.
	Usage:
	{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }}
	*/}}
	{{- define "common.errors.insecureImages" -}}
	{{- $relocatedImages := list -}}
	{{- $replacedImages := list -}}
	{{- $bitnamiLegacyImages := list -}}
	{{- $retaggedImages := list -}}
	{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}}
	{{- $originalImages := .context.Chart.Annotations.images -}}
	{{- range .images -}}
	{{- $registryName := default .registry $globalRegistry -}}
	{{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}}
	{{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}}
	{{- if not (contains $fullImageNameNoTag $originalImages) -}}
	{{- if not (contains $registryName $originalImages) -}}
	{{- $relocatedImages = append $relocatedImages $fullImageName -}}
	{{- else if not (contains .repository $originalImages) -}}
	{{- $replacedImages = append $replacedImages $fullImageName -}}
	{{- if contains "docker.io/bitnamilegacy/" $fullImageNameNoTag -}}
	{{- $bitnamiLegacyImages = append $bitnamiLegacyImages $fullImageName -}}
	{{- end -}}
	{{- end -}}
	{{- end -}}
	{{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}}
	{{- $retaggedImages = append $retaggedImages $fullImageName -}}
	{{- end -}}
	{{- end -}}
	{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}}
	{{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}}
	{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}}
	{{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}}
	{{- $errorString = print $errorString "\n\nUnrecognized images:" -}}
	{{- range (concat $relocatedImages $replacedImages) -}}
	{{- $errorString = print $errorString "\n - " . -}}
	{{- end -}}
	{{- if and (eq (len $relocatedImages) 0) (eq (len $replacedImages) (len $bitnamiLegacyImages)) -}}
	{{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
	{{- print $errorString -}}
	{{- else if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) (contains "docker.io/bitnamisecure/" $originalImages) -}}
	{{- $errorString = print "\n\n⚠ ERROR: " $errorString -}}
	{{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}}
	{{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}}
	{{- print $errorString | fail -}}
	{{- else if gt (len $replacedImages) 0 -}}
	{{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
	{{- print $errorString -}}
	{{- end -}}
	{{- else if gt (len $retaggedImages) 0 -}}
	{{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting original image tags could cause unexpected behavior." -}}
	{{- $warnString = print $warnString "\n\nRetagged images:" -}}
	{{- range $retaggedImages -}}
	{{- $warnString = print $warnString "\n - " . -}}
	{{- end -}}
	{{- print $warnString -}}
	{{- end -}}
	{{- end -}}

Information Disclosure via Warning/Error Messages (Image Verification) in helm/defectdojo/charts/postgresql/charts/common/templates/_errors.tpl

Vulnerability

Information Disclosure via Warning/Error Messages (Image Verification)

Description

The Helm chart's common.errors.insecureImages template is designed to warn or error when non-standard container images are used. While this is a security feature, the detailed messages it generates, particularly when global.security.allowInsecureImages is false, include the full registry, repository, and tag of both the expected and the 'unrecognized' or 'retagged' images. This level of detail could potentially aid an attacker in reconnaissance by revealing internal image naming conventions, private registry paths, and specific versioning strategies, even if the images themselves are not directly accessible.

django-DefectDojo/helm/defectdojo/charts/postgresql/charts/common/templates/_errors.tpl

Lines 1 to 92 in 91c17c3

	{{/*
	Copyright Broadcom, Inc. All Rights Reserved.
	SPDX-License-Identifier: APACHE-2.0
	*/}}
	{{/* vim: set filetype=mustache: */}}
	{{/*
	Throw error when upgrading using empty passwords values that must not be empty.
	Usage:
	{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
	{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
	{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
	Required password params:
	- validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
	- context - Context - Required. Parent context.
	*/}}
	{{- define "common.errors.upgrade.passwords.empty" -}}
	{{- $validationErrors := join "" .validationErrors -}}
	{{- if and $validationErrors .context.Release.IsUpgrade -}}
	{{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
	{{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
	{{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
	{{- $errorString = print $errorString "\n%s" -}}
	{{- printf $errorString $validationErrors | fail -}}
	{{- end -}}
	{{- end -}}
	{{/*
	Throw error when original container images are replaced.
	The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case,
	a warning message will be shown instead.
	Usage:
	{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }}
	*/}}
	{{- define "common.errors.insecureImages" -}}
	{{- $relocatedImages := list -}}
	{{- $replacedImages := list -}}
	{{- $bitnamiLegacyImages := list -}}
	{{- $retaggedImages := list -}}
	{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}}
	{{- $originalImages := .context.Chart.Annotations.images -}}
	{{- range .images -}}
	{{- $registryName := default .registry $globalRegistry -}}
	{{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}}
	{{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}}
	{{- if not (contains $fullImageNameNoTag $originalImages) -}}
	{{- if not (contains $registryName $originalImages) -}}
	{{- $relocatedImages = append $relocatedImages $fullImageName -}}
	{{- else if not (contains .repository $originalImages) -}}
	{{- $replacedImages = append $replacedImages $fullImageName -}}
	{{- if contains "docker.io/bitnamilegacy/" $fullImageNameNoTag -}}
	{{- $bitnamiLegacyImages = append $bitnamiLegacyImages $fullImageName -}}
	{{- end -}}
	{{- end -}}
	{{- end -}}
	{{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}}
	{{- $retaggedImages = append $retaggedImages $fullImageName -}}
	{{- end -}}
	{{- end -}}
	{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}}
	{{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}}
	{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}}
	{{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}}
	{{- $errorString = print $errorString "\n\nUnrecognized images:" -}}
	{{- range (concat $relocatedImages $replacedImages) -}}
	{{- $errorString = print $errorString "\n - " . -}}
	{{- end -}}
	{{- if and (eq (len $relocatedImages) 0) (eq (len $replacedImages) (len $bitnamiLegacyImages)) -}}
	{{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
	{{- print $errorString -}}
	{{- else if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) (contains "docker.io/bitnamisecure/" $originalImages) -}}
	{{- $errorString = print "\n\n⚠ ERROR: " $errorString -}}
	{{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}}
	{{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}}
	{{- print $errorString | fail -}}
	{{- else if gt (len $replacedImages) 0 -}}
	{{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
	{{- print $errorString -}}
	{{- end -}}
	{{- else if gt (len $retaggedImages) 0 -}}
	{{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting original image tags could cause unexpected behavior." -}}
	{{- $warnString = print $warnString "\n\nRetagged images:" -}}
	{{- range $retaggedImages -}}
	{{- $warnString = print $warnString "\n - " . -}}
	{{- end -}}
	{{- print $warnString -}}
	{{- end -}}
	{{- end -}}

Insecure Random Number Generation for Password Generation in helm/defectdojo/charts/postgresql/charts/common/templates/_secrets.tpl

Vulnerability

Insecure Random Number Generation for Password Generation

Description

The common.secrets.passwords.manage template, defined in helm/defectdojo/charts/postgresql/charts/common/templates/_secrets.tpl, uses randAlphaNum and randAscii functions for password generation. These functions, part of the Sprig library used by Helm, are based on Go's math/rand package, which is not cryptographically secure. This can lead to predictable passwords for database users or other components if users rely on the default password generation, making them vulnerable to brute-force attacks.

django-DefectDojo/helm/defectdojo/charts/postgresql/charts/common/templates/_secrets.tpl

Lines 1 to 192 in 91c17c3

	{{/*
	Copyright Broadcom, Inc. All Rights Reserved.
	SPDX-License-Identifier: APACHE-2.0
	*/}}
	{{/* vim: set filetype=mustache: */}}
	{{/*
	Generate secret name.
	Usage:
	{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
	Params:
	- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
	to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
	+info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
	- defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
	- context - Dict - Required. The context for the template evaluation.
	*/}}
	{{- define "common.secrets.name" -}}
	{{- $name := (include "common.names.fullname" .context) -}}
	{{- if .defaultNameSuffix -}}
	{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
	{{- end -}}
	{{- with .existingSecret -}}
	{{- if not (typeIs "string" .) -}}
	{{- with .name -}}
	{{- $name = . -}}
	{{- end -}}
	{{- else -}}
	{{- $name = . -}}
	{{- end -}}
	{{- end -}}
	{{- printf "%s" $name -}}
	{{- end -}}
	{{/*
	Generate secret key.
	Usage:
	{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
	Params:
	- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
	to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
	+info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
	- key - String - Required. Name of the key in the secret.
	*/}}
	{{- define "common.secrets.key" -}}
	{{- $key := .key -}}
	{{- if .existingSecret -}}
	{{- if not (typeIs "string" .existingSecret) -}}
	{{- if .existingSecret.keyMapping -}}
	{{- $key = index .existingSecret.keyMapping $.key -}}
	{{- end -}}
	{{- end }}
	{{- end -}}
	{{- printf "%s" $key -}}
	{{- end -}}
	{{/*
	Generate secret password or retrieve one if already created.
	Usage:
	{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }}
	Params:
	- secret - String - Required - Name of the 'Secret' resource where the password is stored.
	- key - String - Required - Name of the key in the secret.
	- providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
	- length - int - Optional - Length of the generated random password.
	- strong - Boolean - Optional - Whether to add symbols to the generated random password.
	- chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
	- context - Context - Required - Parent context.
	- failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
	- skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted.
	- skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret.
	- honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret
	The order in which this function returns a secret password:
	1. Password provided via the values.yaml if honorProvidedValues = true
	(If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
	2. Already existing 'Secret' resource
	(If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
	3. Password provided via the values.yaml if honorProvidedValues = false
	(If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
	4. Randomly generated secret password
	(A new random secret password with the length specified in the 'length' parameter will be generated and returned)
	*/}}
	{{- define "common.secrets.passwords.manage" -}}
	{{- $password := "" }}
	{{- $subchart := "" }}
	{{- $chartName := default "" .chartName }}
	{{- $passwordLength := default 10 .length }}
	{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
	{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
	{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
	{{- if $secretData }}
	{{- if hasKey $secretData .key }}
	{{- $password = index $secretData .key | b64dec }}
	{{- else if not (eq .failOnNew false) }}
	{{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
	{{- end -}}
	{{- end }}
	{{- if and $providedPasswordValue .honorProvidedValues }}
	{{- $password = tpl ($providedPasswordValue | toString) .context }}
	{{- end }}
	{{- if not $password }}
	{{- if $providedPasswordValue }}
	{{- $password = tpl ($providedPasswordValue | toString) .context }}
	{{- else }}
	{{- if .context.Values.enabled }}
	{{- $subchart = $chartName }}
	{{- end -}}
	{{- if not (eq .failOnNew false) }}
	{{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
	{{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
	{{- $passwordValidationErrors := list $requiredPasswordError -}}
	{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
	{{- end }}
	{{- if .strong }}
	{{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
	{{- $password = randAscii $passwordLength }}
	{{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
	{{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
	{{- else }}
	{{- $password = randAlphaNum $passwordLength }}
	{{- end }}
	{{- end -}}
	{{- end -}}
	{{- if not .skipB64enc }}
	{{- $password = $password | b64enc }}
	{{- end -}}
	{{- if .skipQuote -}}
	{{- printf "%s" $password -}}
	{{- else -}}
	{{- printf "%s" $password | quote -}}
	{{- end -}}
	{{- end -}}
	{{/*
	Reuses the value from an existing secret, otherwise sets its value to a default value.
	Usage:
	{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }}
	Params:
	- secret - String - Required - Name of the 'Secret' resource where the password is stored.
	- key - String - Required - Name of the key in the secret.
	- defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
	- context - Context - Required - Parent context.
	*/}}
	{{- define "common.secrets.lookup" -}}
	{{- $value := "" -}}
	{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}}
	{{- if and $secretData (hasKey $secretData .key) -}}
	{{- $value = index $secretData .key -}}
	{{- else if .defaultValue -}}
	{{- $value = .defaultValue | toString | b64enc -}}
	{{- end -}}
	{{- if $value -}}
	{{- printf "%s" $value -}}
	{{- end -}}
	{{- end -}}
	{{/*
	Returns whether a previous generated secret already exists
	Usage:
	{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }}
	Params:
	- secret - String - Required - Name of the 'Secret' resource where the password is stored.
	- context - Context - Required - Parent context.
	*/}}
	{{- define "common.secrets.exists" -}}
	{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }}
	{{- if $secret }}
	{{- true -}}
	{{- end -}}
	{{- end -}}

---

All finding details can be found in the DryRun Security Dashboard.

[mtesauro]

Approved assuming you'll sort out the GH Action failures.

Glad to see this landing given the Bitnami changes

[kiblik]

Minor issues but some possible improvements

[kiblik]

Is this file needed? If all deps are included, this might be removed.

[kiblik]

Is this section needed? If all deps are included, this might be removed.

[kiblik]

Is this file needed? If base dep is included, this might be removed.

[kiblik]

Is this section needed? If base dep is included, this might be removed.

[kiblik]

Is this file needed? If base dep is included, this might be removed.

[kiblik]

Is this section needed? If base dep is included, this might be removed.

[rossops]

@kiblik Moving over to this PR. I found that it was turning into a yak-shave trying to have the charts in the repo.

[valentijnscholten]

New PR: #13063