Replies: 2 comments 1 reply
-
|
It sounds like you are describing kustomize. Kustomize allows you to reference resources from different directories and even ones that are remote.
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the tip. We've started using kustomize for this. |
Beta Was this translation helpful? Give feedback.
-
|
You're quite right, symlinks within the repo should be allowed. I believe this was fixed with GHSA-jhqp-vf4w-rpwq. There's even a unit test for this exact case. Here's the current bounds check: argo-cd/reposerver/repository/repository.go Line 1257 in 2ac7bd3 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
The fix for GHSA-6gcg-hp2x-q54h (in this commit: d36d95d), feels overly strict. It prevents symlinking to files that aren't in the directory root, but are in the same repository.
I would prefer if symlinks were only prevented from reaching outside of their own repository root.
I trust all the commits in my repo, and I make use of symlinks to deduplicate identical manifest files, i.e. a directory application contains yaml files, and a symlink to another directory of yaml files shared with other applications.
If this is still considered too insecure, then perhaps it could be a setting that could be enabled on the project or application level. I would be interested in contributing such changes if they are desirable.
If there are any other approaches to create an application of non-overlapping directories, I'd be eager to hear them.
Beta Was this translation helpful? Give feedback.
All reactions