Skip to content

Commit 3b8f673

Browse files
authored
Merge pull request from GHSA-g623-jcgg-mhmm
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
1 parent 479b554 commit 3b8f673

File tree

2 files changed

+30
-0
lines changed

2 files changed

+30
-0
lines changed

Diff for: server/application/application.go

+9
Original file line numberDiff line numberDiff line change
@@ -333,6 +333,15 @@ func (s *Server) Create(ctx context.Context, q *application.ApplicationCreateReq
333333
return nil, security.NamespaceNotPermittedError(appNs)
334334
}
335335

336+
// Don't let the app creator set the operation explicitly. Those requests should always go through the Sync API.
337+
if a.Operation != nil {
338+
log.WithFields(log.Fields{
339+
"application": a.Name,
340+
argocommon.SecurityField: argocommon.SecurityLow,
341+
}).Warn("User attempted to set operation on application creation. This could have allowed them to bypass branch protection rules by setting manifests directly. Ignoring the set operation.")
342+
a.Operation = nil
343+
}
344+
336345
created, err := s.appclientset.ArgoprojV1alpha1().Applications(appNs).Create(ctx, a, metav1.CreateOptions{})
337346
if err == nil {
338347
s.logAppEvent(created, ctx, argo.EventReasonResourceCreated, "created application")

Diff for: server/application/application_test.go

+21
Original file line numberDiff line numberDiff line change
@@ -1439,6 +1439,27 @@ func TestCreateAppWithDestName(t *testing.T) {
14391439
assert.Equal(t, app.Spec.Destination.Server, "https://cluster-api.example.com")
14401440
}
14411441

1442+
// TestCreateAppWithOperation tests that an application created with an operation is created with the operation removed.
1443+
// Avoids regressions of https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm
1444+
func TestCreateAppWithOperation(t *testing.T) {
1445+
appServer := newTestAppServer(t)
1446+
testApp := newTestAppWithDestName()
1447+
testApp.Operation = &appsv1.Operation{
1448+
Sync: &appsv1.SyncOperation{
1449+
Manifests: []string{
1450+
"test",
1451+
},
1452+
},
1453+
}
1454+
createReq := application.ApplicationCreateRequest{
1455+
Application: testApp,
1456+
}
1457+
app, err := appServer.Create(context.Background(), &createReq)
1458+
require.NoError(t, err)
1459+
require.NotNil(t, app)
1460+
assert.Nil(t, app.Operation)
1461+
}
1462+
14421463
func TestUpdateApp(t *testing.T) {
14431464
testApp := newTestApp()
14441465
appServer := newTestAppServer(t, testApp)

0 commit comments

Comments
 (0)