Skip to content

feat(api): protect static assets endpoint from symlink traversal #22936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 13, 2025
Merged

feat(api): protect static assets endpoint from symlink traversal #22936

merged 3 commits into from
May 13, 2025

Conversation

@crenshaw-dev
Copy link
Member

@crenshaw-dev crenshaw-dev commented May 12, 2025

Taking advantage of new os.Root tool, building on ideas from here: #22932

@crenshaw-dev crenshaw-dev requested review from a team as code owners May 12, 2025 15:03
@bunnyshell
Copy link

bunnyshell bot commented May 12, 2025
edited
Loading

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

@crenshaw-dev crenshaw-dev mentioned this pull request May 12, 2025
Closed
@crenshaw-dev
lint
811588b 
Signed-off-by: Michael Crenshaw <[email protected]>
todaywasawesome
todaywasawesome approved these changes May 12, 2025
View reviewed changes
Copy link
Contributor

@todaywasawesome todaywasawesome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great addition, simple and focused.

@todaywasawesome
Copy link
Contributor

todaywasawesome commented May 12, 2025

I don't know why these tests failed, I'd try rerunning.

@crenshaw-dev
Copy link
Member Author

crenshaw-dev commented May 12, 2025

Interesting, looks like fs.Root doesn't like it when the directory doesn't exist. I'll add code to check if it exists and then just log a warning if not (to match current behavior):

15:25:52                api-server | �[m{"level":"fatal","msg":"open /shared/app: no such file or directory","time":"2025-05-12T15:25:52Z"}

@crenshaw-dev
fall back to static assets
ad5647f 
Signed-off-by: Michael Crenshaw <[email protected]>
@codecov
Copy link

codecov bot commented May 12, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 40.00000% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.08%. Comparing base (610523b) to head (ad5647f).
⚠️ Report is 470 commits behind head on master.

Files with missing lines Patch % Lines
server/server.go 40.00% 5 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #22936      +/-   ##
==========================================
+ Coverage   60.03%   60.08%   +0.05%     
==========================================
  Files         344      344              
  Lines       57781    57795      +14     
==========================================
+ Hits        34689    34729      +40     
+ Misses      20333    20316      -17     
+ Partials     2759     2750       -9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@crenshaw-dev
Copy link
Member Author

crenshaw-dev commented May 12, 2025

That got it. :-)

@crenshaw-dev crenshaw-dev merged commit 76a63a1 into argoproj:master May 13, 2025
27 checks passed
@crenshaw-dev crenshaw-dev deleted the fs-root-static-assets branch May 13, 2025 20:43
@crenshaw-dev crenshaw-dev mentioned this pull request May 13, 2025
Merged
@thevilledev thevilledev mentioned this pull request May 18, 2025
Merged
14 tasks
ranakan19 pushed a commit to ranakan19/argo-cd that referenced this pull request May 20, 2025
@crenshaw-dev @ranakan19
feat(api): protect static assets endpoint from symlink traversal (arg…
cb44ede 
…oproj#22936)

Signed-off-by: Michael Crenshaw <[email protected]>
Signed-off-by: Kanika Rana <[email protected]>
olivergondza pushed a commit to olivergondza/argo-cd that referenced this pull request May 20, 2025
@crenshaw-dev @olivergondza
feat(api): protect static assets endpoint from symlink traversal (arg…
093e9e8 
…oproj#22936)

Signed-off-by: Michael Crenshaw <[email protected]>
Signed-off-by: Oliver Gondža <[email protected]>
tylerrosnett pushed a commit to StateFarmIns/argo-cd that referenced this pull request May 27, 2025
@crenshaw-dev @tylerrosnett
feat(api): protect static assets endpoint from symlink traversal (arg…
9df61f0 
…oproj#22936)

Signed-off-by: Michael Crenshaw <[email protected]>
chansuke pushed a commit to chansuke/argo-cd that referenced this pull request Jun 4, 2025
@crenshaw-dev @chansuke
feat(api): protect static assets endpoint from symlink traversal (arg…
c3d3dad 
…oproj#22936)

Signed-off-by: Michael Crenshaw <[email protected]>
dsuhinin pushed a commit to dsuhinin/argo-cd that referenced this pull request Jun 16, 2025
@crenshaw-dev @dsuhinin
feat(api): protect static assets endpoint from symlink traversal (arg…
e709258 
…oproj#22936)

Signed-off-by: Michael Crenshaw <[email protected]>
Signed-off-by: dsuhinin <[email protected]>
dsuhinin pushed a commit to dsuhinin/argo-cd that referenced this pull request Jun 16, 2025
@crenshaw-dev @dsuhinin
feat(api): protect static assets endpoint from symlink traversal (arg…
a340e0c 
…oproj#22936)

Signed-off-by: Michael Crenshaw <[email protected]>
Signed-off-by: dsuhinin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@todaywasawesome todaywasawesome todaywasawesome approved these changes

@agaudreault agaudreault agaudreault approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@crenshaw-dev @todaywasawesome @agaudreault