Merge pull request from GHSA-2q5c-qw9c-fmvq

* fix: prevent app enumeration Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> fix tests Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> better comments Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> tests for streaming API calls Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> fix logging Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> logs Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> warn Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> fix reversed arg order Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * more tests, fix incorrect param use Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> similar requests Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * fix merge issue Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * fix CLI to understand permission denied is not a fatal error Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * fix test to expect permission denied instead of validation error Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * upgrade notes Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
argoproj · Mar 23, 2023 · ccb64f1 · ccb64f1
1 parent 6d4de2e
commit ccb64f1
Show file tree

Hide file tree

Showing 11 changed files with 954 additions and 215 deletions.
diff --git a/cmd/argocd/commands/app.go b/cmd/argocd/commands/app.go
@@ -165,7 +165,9 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 
 				// Get app before creating to see if it is being updated or no change
 				existing, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{Name: &app.Name})
-				if grpc.UnwrapGRPCStatus(err).Code() != codes.NotFound {
+				unwrappedError := grpc.UnwrapGRPCStatus(err).Code()
+				// As part of the fix for CVE-2022-41354, the API will return Permission Denied when an app does not exist.
+				if unwrappedError != codes.NotFound && unwrappedError != codes.PermissionDenied {
 					errors.CheckError(err)
 				}
 

diff --git a/docs/operator-manual/upgrading/2.4-2.5.md b/docs/operator-manual/upgrading/2.4-2.5.md
@@ -184,3 +184,16 @@ This note is just for clarity. No action is required.
 
 We [expected](../upgrading/2.3-2.4.md#enable-logs-rbac-enforcement) to enable logs RBAC enforcement by default in 2.5.
 We have decided not to do that in the 2.x series due to disruption for users of [Project Roles](../../user-guide/projects.md#project-roles).
+
+## `argocd app create` for old CLI versions fails with API version >=2.5.16
+
+Starting with Argo CD 2.5.16, the API returns `PermissionDenied` instead of `NotFound` for Application `GET` requests if
+the Application does not exist.
+
+The Argo CD CLI before versions starting with version 2.5.0-rc1 and before versions 2.5.16 and 2.6.7 does a `GET` 
+request before the `POST` request in `argocd app create`. The command does not gracefully handle the `PermissionDenied` 
+response and will therefore fail to create/update the Application.
+
+To solve the issue, upgrade the CLI to at least 2.5.16, or 2.6.7.
+
+CLIs older than 2.5.0-rc1 are unaffected.
diff --git a/docs/operator-manual/upgrading/2.5-2.6.md b/docs/operator-manual/upgrading/2.5-2.6.md
@@ -81,3 +81,17 @@ name. Argo CD v2.6 introduces support for specifying sidecar plugins by name.
 
 Removal of argocd-cm plugin support has been delayed until 2.7 to provide a transition time for users who need to 
 specify plugins by name. 
+
+## `argocd app create` for old CLI versions fails with API version >=2.6.7
+
+Starting with Argo CD 2.6.7, the API returns `PermissionDenied` instead of `NotFound` for Application `GET` requests if
+the Application does not exist.
+
+The Argo CD CLI before versions starting with version 2.5.0-rc1 and before versions 2.5.16 and 2.6.7 does a `GET`
+request before the `POST` request in `argocd app create`. The command does not gracefully handle the `PermissionDenied`
+response and will therefore fail to create/update the Application.
+
+To solve the issue, upgrade the CLI to at least 2.5.16, or 2.6.7.
+
+CLIs older than 2.5.0-rc1 are unaffected.
+
diff --git a/reposerver/apiclient/mocks/RepoServerService_GenerateManifestWithFilesClient.go b/reposerver/apiclient/mocks/RepoServerService_GenerateManifestWithFilesClient.go