Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: forbid 302 request to avoid SSRF #5000

Merged
merged 3 commits into from Nov 4, 2022

Conversation

wangyikewxgm
Copy link
Collaborator

forbid 302 request to avoid SSRF of list helm chart endpoint of apiServer.

Signed-off-by: 楚岳 wangyike.wyk@alibaba-inc.com

Description of your changes

Fixes #

I have:

  • Read and followed KubeVela's contribution process.
  • Related Docs updated properly. In a new feature or configuration option, an update to the documentation is necessary.
  • Run make reviewable to ensure this PR is ready for review.
  • Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

Special notes for your reviewer

@wangyikewxgm wangyikewxgm added backport release-1.6 add this label will automatically backport this PR to release-1.6 branch backport release-1.5 add this label will automatically backport this PR to release-1.5 branch labels Nov 4, 2022
@codecov
Copy link

codecov bot commented Nov 4, 2022

Codecov Report

Base: 61.49% // Head: 61.50% // Increases project coverage by +0.01% 🎉

Coverage data is based on head (fbeacb0) compared to base (7f1a901).
Patch coverage: 75.00% of modified lines in pull request are covered.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #5000      +/-   ##
==========================================
+ Coverage   61.49%   61.50%   +0.01%     
==========================================
  Files         305      305              
  Lines       33314    33315       +1     
==========================================
+ Hits        20485    20490       +5     
  Misses      10059    10059              
+ Partials     2770     2766       -4     
Flag Coverage Δ
apiserver-e2etests 35.67% <25.00%> (+0.05%) ⬆️
apiserver-unittests 36.99% <ø> (-0.03%) ⬇️
core-unittests 55.19% <75.00%> (+0.04%) ⬆️
e2e-multicluster-test 18.58% <25.00%> (-0.04%) ⬇️
e2e-rollout-tests 20.18% <0.00%> (-0.01%) ⬇️
e2etests 25.75% <0.00%> (-0.10%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/utils/helm/helm_helper.go 60.24% <0.00%> (ø)
pkg/utils/common/common.go 60.17% <100.00%> (+1.06%) ⬆️
pkg/utils/errors/reason.go 33.33% <0.00%> (-16.67%) ⬇️
...aits/traitdefinition/traitdefinition_controller.go 63.07% <0.00%> (-7.70%) ⬇️
pkg/cue/definition/template.go 66.12% <0.00%> (-4.44%) ⬇️
pkg/apiserver/domain/repository/target.go 41.30% <0.00%> (-4.35%) ⬇️
pkg/apiserver/event/sync/store.go 73.33% <0.00%> (-4.00%) ⬇️
...troller/core.oam.dev/v1alpha2/application/apply.go 87.96% <0.00%> (-1.86%) ⬇️
pkg/apiserver/domain/service/authentication.go 50.66% <0.00%> (-1.00%) ⬇️
...ler/core.oam.dev/v1alpha2/application/generator.go 87.77% <0.00%> (-0.75%) ⬇️
... and 21 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>
Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>
Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>

fix ci

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>
@wonderflow wonderflow merged commit 85489c6 into kubevela:master Nov 4, 2022
34 checks passed
@github-actions
Copy link

github-actions bot commented Nov 4, 2022

Successfully created backport PR #5003 for release-1.5.

@github-actions
Copy link

github-actions bot commented Nov 4, 2022

Successfully created backport PR #5004 for release-1.6.

barnettZQG pushed a commit to barnettZQG/kubevela that referenced this pull request Jan 30, 2023
* fix helm chart list endpoint SSRF CVE

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>

* revert error log

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>

* change with const value

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>

fix ci

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>

Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport release-1.5 add this label will automatically backport this PR to release-1.5 branch backport release-1.6 add this label will automatically backport this PR to release-1.6 branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants