fix: code weakness of path traversal

[jparsai]

This PR is to fix a path traversal vulnerability CWE-22 where a malicious user could potentially craft a URL with special characters (like ../) to try and access files or directories outside of the intended UI asset directory

Here are logs from scanner:

argo_cd/app/server/server.go:1410:3: taint: The field "r.URL" is a source of untrusted data.
argo_cd/app/server/server.go:1410:3: sink: Calling "uiAssetExists". This call uses "r.URL.Path" for sensitive computation.
argo_cd/app/server/server.go:1387:12: identity: Calling "Trim". This call assigns "filename" to "<return value>".
argo_cd/app/server/server.go:1387:12: sink: Calling "Open". This call uses "Trim(filename, "/")" for sensitive computation. (The interface method resolves to "http.Dir.Open(string)".)
argo_cd/app/server/server.go:1410:3:
# 1408|           }
# 1409|   
# 1410|->         fileRequest := r.URL.Path != "/index.html" && server.uiAssetExists(r.URL.Path)
# 1411|   
# 1412|           // Set X-Frame-Options according to configuration

[bunnyshell]

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.00%. Comparing base (610523b) to head (521e850).
⚠️ Report is 470 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #22932      +/-   ##
==========================================
- Coverage   60.03%   60.00%   -0.04%     
==========================================
  Files         344      344              
  Lines       57781    57787       +6     
==========================================
- Hits        34689    34673      -16     
- Misses      20333    20356      +23     
+ Partials     2759     2758       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[crenshaw-dev]

In general, security concerns should be reported following these directions: https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#reporting-a-vulnerability

[crenshaw-dev]

server.staticAssets by default only serves an embedded FS, so it shouldn't be vulnerable to traversal.

If the user has specified a --staticassets dir on the API deployment, they expand server.staticAssets to serve on-disk files. By my understanding of os.DirFS can only be escaped via symlinks, not just paths. Either way I'd want to see a PoC of a working exploit.

I think a better way to harden the --staticassets feature would be to use root.FS instead of os.DirFS.

[crenshaw-dev]

#22936

[jparsai]

Thanks, I guess I can close this PR then.

[crenshaw-dev]

Sounds good! Let me know if you have feedback on my PR's approach