Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(exit in bash): Fix handling exit in initializer #10493

Closed
wants to merge 1 commit into from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jul 2, 2024

The original exit (e.g. from #9002) worked correctly in sh.
However, by adding shellcheck, #9147 changed sh to bash which handles these situations differently.
Linter introduced an error that nobody noticed.
Issue discovered during investigation of #10490

@github-actions github-actions bot added the docker label Jul 2, 2024
Copy link

dryrunsecurity bot commented Jul 2, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes are part of the entrypoint-initializer.sh script used in a Docker environment for the DefectDojo application. This script is responsible for initializing and configuring the application during the startup process. The key changes include setting the set -e flag to handle errors effectively, loading external scripts for sensitive operations, initializing test types and permissions, creating an announcement banner, loading additional settings, managing audit log settings, creating an admin user with a random password, generating a JIRA webhook secret, and loading fixtures and installing the Watson search index.

From a security perspective, these changes appear to be focused on ensuring the application is properly configured and secured. The script handles several security-related tasks, such as managing permissions, audit logging, and user credentials. However, it's important to review the external scripts and additional settings files to ensure that they do not introduce any security vulnerabilities, such as improper handling of sensitive information or the introduction of potential attack vectors.

Files Changed:

  • docker/entrypoint-initializer.sh: This script is responsible for initializing and configuring the DefectDojo application in a Docker environment. The key changes include:
    • Setting the set -e flag to handle errors effectively
    • Loading external scripts for sensitive operations
    • Initializing test types and permissions
    • Creating an announcement banner
    • Loading additional settings
    • Checking and setting audit log settings
    • Creating an admin user with a random password
    • Generating a JIRA webhook secret
    • Loading fixtures and installing the Watson search index

Powered by DryRun Security

@kiblik kiblik marked this pull request as draft July 3, 2024 08:22
@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm labels Jul 8, 2024
Copy link

dryrunsecurity bot commented Jul 8, 2024

DryRun Security Summary

The provided code changes focus on improving the initialization and setup process of the DefectDojo application, with a strong emphasis on security-related aspects, including error handling, database initialization, admin user creation, JIRA webhook secret management, fixtures loading, Watson search index installation, and announcement banner creation.

Expand for full summary

Summary:

The provided code changes are focused on improving the initialization and setup process of the DefectDojo application, with a strong emphasis on security-related aspects. The changes include improvements to error handling, database initialization, admin user creation, JIRA webhook secret management, fixtures loading, Watson search index installation, and announcement banner creation. These changes are generally positive from an application security perspective, as they help to ensure a more secure and reliable deployment of the application.

The key security-related improvements include the implementation of immediate script exit on command failures, secure generation of admin user passwords and JIRA webhook secrets, and proper handling of database migrations and application settings. Additionally, the script ensures the consistent loading of various fixtures and the proper installation of the Watson search index, which are crucial for the overall security and functionality of the application.

Files Changed:

  • docker/entrypoint-initializer.sh: This file is responsible for initializing the DefectDojo application during the container startup process. The changes include:
    1. Improved error handling with set -e to ensure the script exits immediately on command failures.
    2. Database initialization checks, including database migration and enable_auditlog setting consistency.
    3. Secure creation of admin user with randomly generated password.
    4. Generation of a random JIRA webhook secret and setting it in the system settings.
    5. Proper loading of various fixtures, including system settings, initial banner configuration, product types, and test types.
    6. Installation of the Watson search index, which is a crucial component for the application's search functionality.
    7. Creation of an announcement banner to inform users about cloud and on-premise subscriptions.

Overall, these changes demonstrate a strong focus on improving the security and reliability of the DefectDojo application's initialization and setup process.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@github-actions github-actions bot removed settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm labels Jul 8, 2024
@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui labels Aug 19, 2024
@kiblik kiblik changed the base branch from bugfix to dev August 19, 2024 18:58
@github-actions github-actions bot removed settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm localization labels Oct 21, 2024
@Maffooch
Copy link
Contributor

It looks like there has not been any activity here for a while. In order to keep the list of pull requests in a manageable state, we are closing this one for now. If we are making a mistake here, please reopen the pull request, and leave us a note 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants