This repository was archived by the owner on Jun 1, 2026. It is now read-only.
security: CWE-95: Helm template injection prevention — VC-53728#148
Open
torresashjiancyber wants to merge 1 commit into
Open
security: CWE-95: Helm template injection prevention — VC-53728#148torresashjiancyber wants to merge 1 commit into
torresashjiancyber wants to merge 1 commit into
Conversation
… injection VC-53728
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Mitigates CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) by using
--set-stringinstead of--setfor string values in Helm commands to prevent Go template injection.Finding
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (Injection)
The CCM (Cluster Configuration Manager) and agent installation scripts evaluated Helm chart values using
--setwith user-supplied or environment-based values without sanitization. This allowed potential injection of arbitrary Go template directives (e.g.,{{ exec "cmd" }}) when chart values were derived from user input or external sources.CVSS: 7.5 (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Remediation
Changed
--setto--set-stringfor all string-valued Helm chart parameters in:projects/nginx-plus/01.install-nginx.shprojects/discovery-context/discovery-svc.shprojects/ccm-agent/ccm_agent_oidc.shprojects/cert-discovery/MakefileBoolean values (e.g.,
controller.nginxplus=true,crds.venafiConnection.include=true) remain as--setsince they require boolean type interpretation.Using
--set-stringtreats values as literal strings and prevents Helm from interpreting them as Go templates, effectively blocking template injection attacks while maintaining functional equivalence for string parameters.Verification
--set-string--set🤖 Generated with Pattern-C security remediation