Release: Merge release into master from: release/2.46.1 #12402
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
….47.0-dev Release: Merge back 2.46.0 into bugfix from: master-into-bugfix/2.46.0-2.47.0-dev
* tags: prevent validation from removing tags * tags: prevent validation from removing tags smoke test * tags: prevent validation from removing tags smoke test * tags: prevent validation from removing tags remove ui test
🔴 Risk threshold exceeded.This pull request contains multiple security considerations, including a sensitive file edit in a login template, potential risks in GitHub Actions workflow checkout, reduced error logging for Jira integration, and several code-level changes that could impact validation, logging, and information disclosure.
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
💭 Unconfirmed Findings (5)
| Vulnerability | Potential Arbitrary Ref Checkout Risk in GitHub Actions Workflow |
|---|---|
| Description | Dynamic input parameter for checkout reference in .github/workflows/release-x-manual-helm-chart.yml could allow checking out unintended or malicious branches/tags if input validation is not strictly enforced |
| Vulnerability | Reduced Error Visibility in Jira Integration Logging |
|---|---|
| Description | Changing log level from error to debug in dojo/finding/views.py reduces visibility of potential issues in Jira integration, potentially suppressing critical error information |
| Vulnerability | Potential Unhandled Tag Validation Edge Case |
|---|---|
| Description | Added return statement in dojo/forms.py might bypass additional form-level validation, potentially allowing invalid tags to propagate |
| Vulnerability | Potential Information Disclosure via Debug Logging |
|---|---|
| Description | New debug log statement in dojo/utils.py could expose internal validation logic or sensitive input details if debug logs are accidentally enabled in production |
| Vulnerability | Potential Dependency Version Disclosure |
|---|---|
| Description | Publicly disclosing the exact version in components/package.json could help attackers understand which specific software version is in use, potentially aiding targeted vulnerability research |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release triggered by
Maffooch