Skip to content

Comments

Fix update-sample-data workflow pushing to protected master branch#14374

Open
valentijnscholten wants to merge 1 commit intoDefectDojo:masterfrom
valentijnscholten:fix/update-sample-data-workflow
Open

Fix update-sample-data workflow pushing to protected master branch#14374
valentijnscholten wants to merge 1 commit intoDefectDojo:masterfrom
valentijnscholten:fix/update-sample-data-workflow

Conversation

@valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Feb 23, 2026
edited
Loading

Summary

The workflow that runs the new python script to update sample data still fails because of invalid handling of branches.

  • The branch parameter in the Create Pull Request step used ${{ github.ref_name || 'dev' }}, which resolves to master when triggered via workflow_dispatch from the master branch
  • This caused the action to attempt a force-push directly to master, which is blocked by the repository's branch protection rule ("Changes must be made through a pull request")
  • Fixed by removing the redundant manual branch creation/push steps and using a fixed branch name update-sample-data for the create-pull-request action
  • The peter-evans/create-pull-request is supposed to handle things gracefully if the update-sample-data branch already exists. It will update the existing branch and PR, or, if the PR is already merged, it will create a new PR.

@github-actions github-actions bot added docker New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm localization lint labels Feb 23, 2026
@valentijnscholten
Fix update-sample-data workflow pushing to protected master branch
e254b57 
The branch parameter used github.ref_name which resolved to 'master'
when triggered via workflow_dispatch, causing a push to a protected
branch. Simplify by letting create-pull-request manage the branch
using a fixed name, removing the now-redundant manual branch steps.
@valentijnscholten valentijnscholten force-pushed the fix/update-sample-data-workflow branch from dcdf559 to e254b57 Compare February 23, 2026 20:26
@github-actions github-actions bot removed docker New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm localization lint labels Feb 23, 2026
@dryrunsecurity
Copy link

dryrunsecurity bot commented Feb 23, 2026

DryRun Security

This pull request contains a code injection vulnerability: user-controlled workflow_dispatch inputs are interpolated directly into an actions/github-script JavaScript block, allowing an attacker to break out of the string context (e.g., via a crafted input with a quote) and execute arbitrary Node.js code on the runner with access to GITHUB_TOKEN and other job secrets.

Code Injection: Injection into github-script Javascript context in .github/workflows/release-3-master-into-dev.yml (7be69944)
Vulnerability Code Injection: Injection into github-script Javascript context
Description The workflow interpolates GitHub Actions expressions ${{ inputs.release_number_new }} and ${{ env.NEW_BRANCH }} directly into the script block of actions/github-script. These values are derived from user-controlled inputs in a workflow_dispatch trigger and are used without any prior validation in this workflow. An attacker can provide a crafted input containing a single quote (e.g., 1.2.3'; console.log(process.env); //) to break out of the Javascript string context and execute arbitrary Node.js code. This code runs with the privileges of the GitHub Actions runner and has access to the GITHUB_TOKEN and any other secrets available to the job.

django-DefectDojo/.github/workflows/release-3-master-into-dev.yml

Lines 105 to 108 in dcdf559

title: 'Release: Merge back ${{ inputs.release_number_new }} into dev from: ${{ env.NEW_BRANCH }}',
body: `Release triggered by \`${ process.env.GITHUB_ACTOR }\``,
head: '${{ env.NEW_BRANCH }}',
base: 'dev'

All finding details can be found in the DryRun Security Dashboard.

mtesauro
mtesauro approved these changes Feb 23, 2026
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro requested review from Jino-T and rossops February 24, 2026 02:26
@valentijnscholten valentijnscholten changed the base branch from dev to master February 24, 2026 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@rossops rossops rossops approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@valentijnscholten @mtesauro @rossops @Maffooch @Jino-T