New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make directory enforcer more lenient and add flag #2716
Conversation
@jannfis @wecger @adamjohnson01 If possible, could you guys download and build this branch and see if the fix works as you would expect? The default behavior is to permit all files within a repo. |
Codecov Report
@@ Coverage Diff @@
## master #2716 +/- ##
==========================================
+ Coverage 38.38% 38.42% +0.04%
==========================================
Files 156 156
Lines 17292 17310 +18
Branches 203 203
==========================================
+ Hits 6638 6652 +14
- Misses 9831 9833 +2
- Partials 823 825 +2
Continue to review full report at Codecov.
|
@jannfis @wecger @adamjohnson01 Hope you guys don't mind if I try you one more time :) |
Sorry for the late reply @simster7 and also thanks for the quick PR - unfortunately, We didn't find the time to build from that branch yet, as we're pretty busy with other topics. I'll see if I find time over the weekend to test it out and let you know any feedback. |
@alexec This could potentially need to be backported. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still not built & tested, but reviewed the change. I just have some minor comments, please check.
IMHO for app where repo type is Git (as opposed to Helm) you should be able to read any file within the repo. No need for options. |
@alexec Sure, I can remove the option functionality. Since it's already implemented though, we could leave it in? Doesn't seem like it would hurt |
I'd prefer to not have extra code to maintain TBH. |
@alexec Removed the enforcer level option |
if appHelm.Values != "" { | ||
file, err := ioutil.TempFile(appPath, "values-*.yaml") | ||
file, err := ioutil.TempFile("", "values-*.yaml") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto
@alexec Ready for another look |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good so far. Can we allow URLs please?
Please dismiss and re-request review when ready - so it appears in my notifications. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
built, deployed and tested this branch on our env. Using value files from outside the chart folder, but inside the repo worked fine for me :) |
* Make directory enforcer more lenient and add flag * Fixes * Lint fixes * Lint fixes * Fixed test * Minor * Removed enforcer option * Move directory traversal check higher up * Go fmt * Allow URLs * Added test
Fixes: #2715 and updates change in #2452.
Adds a newargo-cd-cm
flag (helm.directoryEnforcerLevel
) to set Directory Enforcer level. Supported values are:Strict
: only allows access to files within the directory containingChart.yaml
Repo
(default): allows access to files within the entire repoChecklist: