Release 2.53.0: Merge Bugfix into Dev

[rossops]

No description provided.

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request modifies sensitive codepaths (dojo/jira_link/helper.py) and includes a GitHub Actions workflow that unsafely uses pull request titles in shell commands—allowing command injection—and exposes JIRA client settings configurable via env vars without enforced upper limits, which could lead to resource exhaustion.

🔴 Configured Codepaths Edit in dojo/jira_link/helper.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/jira_link/helper.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

Command Injection in GitHub Actions in .github/workflows/test-helm-chart.yml

Vulnerability

Command Injection in GitHub Actions

Description

The GitHub Actions workflow directly uses the github.event.pull_request.title in a shell command. Although there's an attempt to sanitize the input by replacing certain characters, critical shell metacharacters such as $, backticks (`), and semicolons (;) are not included in the sanitization list. This allows an attacker to inject arbitrary shell commands by crafting a malicious pull request title, leading to command execution within the CI/CD runner.

django-DefectDojo/.github/workflows/test-helm-chart.yml

Lines 122 to 125 in 83c54b1

	yq -i '.annotations."artifacthub.io/changes" += "- kind: changed\n description: $title\n"' helm/defectdojo/Chart.yaml
	git add helm/defectdojo/Chart.yaml
	git commit -m "ci: update Chart annotations from PR #${{ github.event.pull_request.number }}" || echo "No changes to commit"

Resource Exhaustion via JIRA Client Misconfiguration in dojo/jira_link/helper.py

Vulnerability

Resource Exhaustion via JIRA Client Misconfiguration

Description

The JIRA client's max_retries and timeout settings are configurable via environment variables (DD_JIRA_MAX_RETRIES, DD_JIRA_CONNECT_TIMEOUT, DD_JIRA_READ_TIMEOUT). While default values are reasonable, the application does not enforce any maximum limits on these integer inputs. An administrator could set excessively high values, leading to prolonged blocking calls or numerous retry attempts against an unresponsive JIRA instance. This could exhaust application resources (CPU, memory, threads), causing a denial of service for DefectDojo.

django-DefectDojo/dojo/jira_link/helper.py

Lines 441 to 442 in 83c54b1

	max_retries=max_retries,
	timeout=timeout,

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.

[rossops]

@kiblik Can you take a look at the failing lint helm chart test for this PR? https://github.com/DefectDojo/django-DefectDojo/actions/runs/19829442254/job/56811361081?pr=13801

If im interpreting it correctly, it looks like it fails if there are no differences between the two merging branches for the chart, which would be a valid condition.