Release: Merge release into master from: release/2.53.2

[github-actions]

Release triggered by rossops

[dryrunsecurity]

This pull request introduces three security issues: an information disclosure risk where detailed JIRA error messages can be sent to any subscriber (including non-admins), a dangerous dynamic module import in a management command that could let an attacker force arbitrary Python module imports, and a command injection vulnerability in a GitHub Actions workflow that allows crafted PR titles with single quotes to execute arbitrary shell commands.

Information Disclosure through Error Messages in dojo/jira_link/helper.py

Vulnerability

Information Disclosure through Error Messages

Description

The system generates a detailed error message, "Object {obj.id} cannot be pushed to JIRA as the JIRA instance has been deleted or is not available." This message is then incorporated into a notification's description via the log_jira_alert and create_notification functions. The create_notification function can send these alerts to various channels, including email, Slack, and Microsoft Teams. While the jira_update event is typically for administrators, the system's notification settings allow any user to subscribe to any notification type, including jira_update. This means a non-privileged user could potentially subscribe to jira_update notifications and receive detailed internal system errors, revealing sensitive information about the JIRA integration's operational status and configuration (e.g., that a JIRA instance has been deleted or is unavailable).

django-DefectDojo/dojo/jira_link/helper.py

Lines 906 to 909 in 7e4585d

	message = f"Object {obj.id} cannot be pushed to JIRA as the JIRA instance has been deleted or is not available."
	return failure_to_add_message(message, None, obj)
	obj_can_be_pushed_to_jira, error_message, _error_code = can_be_pushed_to_jira(obj)

Arbitrary Module Import in dojo/management/commands/reimport_unittest_scan.py

Vulnerability

Arbitrary Module Import

Description

The reimport_unittest_scan management command dynamically imports a parser module based on the scan_file argument. The module_name is extracted from the first part of the scan_file path. An attacker who can execute this command could craft a scan_file path to force the application to import an arbitrary Python module, potentially leading to code execution. For example, providing scan_file='os/foo.json' would attempt to import dojo.tools.os.parser, which could then be used to access sensitive modules like os.

django-DefectDojo/dojo/management/commands/reimport_unittest_scan.py

Lines 112 to 115 in 7e4585d

	module = import_module(f"dojo.tools.{module_name}.parser")
	# Find the parser class
	parser_class = None

Command Injection in GitHub Actions in .github/workflows/test-helm-chart.yml

Vulnerability

Command Injection in GitHub Actions

Description

The GitHub Actions workflow in .github/workflows/test-helm-chart.yml uses the github.event.pull_request.title directly within a shell command that executes yq. The title variable, derived from the pull request title, is used within a single-quoted string in the yq command. Although a denylist-based sanitization step is present, it does not filter out single quotes ('). An attacker can craft a pull request title containing a single quote to break out of the yq command's string literal and inject arbitrary shell commands, which will be executed on the GitHub Actions runner.

django-DefectDojo/.github/workflows/test-helm-chart.yml

Lines 127 to 130 in 7e4585d

	yq -i '.annotations."artifacthub.io/changes" += "- kind: changed\n description: '$title'\n"' helm/defectdojo/Chart.yaml
	git add helm/defectdojo/Chart.yaml
	git commit -m "ci: update Chart annotations from PR #${{ github.event.pull_request.number }}" || echo "No changes to commit"

---

All finding details can be found in the DryRun Security Dashboard.