Skip to content

Release: Merge back 2.57.3 into bugfix from: master-into-bugfix/2.57.3-2.58.0-dev#14762

Merged
Maffooch merged 5 commits intobugfixfrom
master-into-bugfix/2.57.3-2.58.0-dev
Apr 27, 2026
Merged

Release: Merge back 2.57.3 into bugfix from: master-into-bugfix/2.57.3-2.58.0-dev#14762
Maffooch merged 5 commits intobugfixfrom
master-into-bugfix/2.57.3-2.58.0-dev

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Apr 27, 2026

Release triggered by rossops

Maffooch and others added 4 commits April 27, 2026 08:43
@Maffooch @claude
ci: auto-label release PRs with release-management (#14744)
1a8b491 
Tags every PR opened by release-1-create-pr.yml and release-3-master-into-dev.yml (release, master-into-dev, master-into-bugfix) with the release-management label, so release PRs are easy to filter and automate on without title/branch-regex matching.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Update versions in application files
6113e53
@rossops
Merge pull request #14760 from DefectDojo/release/2.57.3
1d8a9a1 
Release: Merge release into master from: release/2.57.3
Update versions in application files
8f693ec
@github-actions github-actions Bot requested a review from Maffooch as a code owner April 27, 2026 15:45
@github-actions github-actions Bot added the release-management Automated release-train PR label Apr 27, 2026
@github-actions github-actions Bot requested a review from mtesauro as a code owner April 27, 2026 15:45
@rossops rossops closed this Apr 27, 2026
@rossops rossops reopened this Apr 27, 2026
@github-actions github-actions Bot added the helm label Apr 27, 2026
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Apr 27, 2026

DryRun Security

This pull request contains a critical finding: a GitHub Actions workflow (.github/workflows/release-3-master-into-dev.yml) uses actions/github-script and interpolates untrusted inputs (inputs.release_number_new, env.NEW_BRANCH) directly into a JavaScript string, enabling script injection that could let an attacker execute arbitrary code with the GITHUB_TOKEN's privileges. Remediation: treat these values as untrusted (escape or validate them, avoid string interpolation into code, or use the actions toolkit APIs/inputs safely) to prevent privilege-abusing injection.

🔴 GitHub Actions Script Injection in .github/workflows/release-3-master-into-dev.yml (drs_7253381e)
Vulnerability GitHub Actions Script Injection
Description The workflow uses actions/github-script, which executes JavaScript within a Node.js environment. Input variables like inputs.release_number_new and env.NEW_BRANCH are interpolated directly into a JavaScript string literal. An attacker could provide a crafted input containing characters like '); ... // to break out of the string literal and execute arbitrary JavaScript code. This JavaScript runs with the privileges of the GITHUB_TOKEN, which can modify PRs, add labels, and potentially interact with other GitHub API endpoints depending on the configured permissions for the workflow.

django-DefectDojo/.github/workflows/release-3-master-into-dev.yml

Lines 105 to 108 in f5eb6e0

title: 'Release: Merge back ${{ inputs.release_number_new }} into dev from: ${{ env.NEW_BRANCH }}',
body: `Release triggered by \`${ process.env.GITHUB_ACTOR }\``,
head: '${{ env.NEW_BRANCH }}',
base: 'dev'

We've notified @mtesauro.

Comment to provide feedback on these findings.

Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]

Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch merged commit fba9eac into bugfix Apr 27, 2026
160 checks passed
@rossops rossops deleted the master-into-bugfix/2.57.3-2.58.0-dev branch April 27, 2026 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

helm integration_tests release-management Automated release-train PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rossops @Maffooch