Skip to content
  • Artur Kraev's avatar
    ab00d33c
    Fix potential controller sensitive data exposure by sprig template functions (#1703) · ab00d33c
    Artur Kraev authored
    <!--
    Before you open the request please review the following guidelines and
    tips to help it be more easily integrated:
    
     - Describe the scope of your change - i.e. what the change does.
     - Describe any known limitations with your change.
    - Please run any tests or examples that can exercise your modified code.
    
    Thank you for contributing! We will try to test and integrate the change
    as soon as we can, but be aware we have many GitHub repositories to
    manage and can't immediately respond to every request. There is no need
    to bump or check in on a pull request (it will clutter the discussion of
    the request).
    
    Also don't be worried if the request is closed or not integrated
    sometimes the priorities of Bitnami might not match the priorities of
    the pull request. Don't fret, the open source community thrives on forks
    and GitHub makes it easy to keep your changes in a forked repo.
     -->
    
    **Description of the change**
    
    Fixing potential controller environment exposure by removing some sprig
    template functions:
    - `env`, `expandenv` - controller environment variables exposure (which
    can contain sensitive data)
    - `getHostByName` - add possibility to resolve dns entries from
    templates, which is not secure in some cases
    
    This potential exposure is added by PR #1542 where security risks was
    described in "possible drawbacks" section.
    
    Also, sprig func map is now initialized due module initialization and
    reusing for rendering, which may improve performance.
    
    In fact is just port of the
    [argocd](https://github.com/argoproj/argo-cd/blob/v2.11.3/applicationset/utils/utils.go#L31-L34
    
    )
    solution, which described in initial PR #1542
    
    **Benefits**
    
    - Fix potential controller sensitive data exposure
    - Improve rendering performance
    
    **Possible drawbacks**
    
    No one
    
    **Applicable issues**
    
    <!-- Enter any applicable Issues here (You can reference an issue using
    #) -->
    
    **Additional information**
    
    <!-- If there's anything else that's important and relevant to your pull
    request, mention that information here.-->
    
    Signed-off-by: default avatarArtur Kraev <ravenox@gmail.com>
    ab00d33c
    Fix potential controller sensitive data exposure by sprig template functions (#1703)
    Artur Kraev authored
    <!--
    Before you open the request please review the following guidelines and
    tips to help it be more easily integrated:
    
     - Describe the scope of your change - i.e. what the change does.
     - Describe any known limitations with your change.
    - Please run any tests or examples that can exercise your modified code.
    
    Thank you for contributing! We will try to test and integrate the change
    as soon as we can, but be aware we have many GitHub repositories to
    manage and can't immediately respond to every request. There is no need
    to bump or check in on a pull request (it will clutter the discussion of
    the request).
    
    Also don't be worried if the request is closed or not integrated
    sometimes the priorities of Bitnami might not match the priorities of
    the pull request. Don't fret, the open source community thrives on forks
    and GitHub makes it easy to keep your changes in a forked repo.
     -->
    
    **Description of the change**
    
    Fixing potential controller environment exposure by removing some sprig
    template functions:
    - `env`, `expandenv` - controller environment variables exposure (which
    can contain sensitive data)
    - `getHostByName` - add possibility to resolve dns entries from
    templates, which is not secure in some cases
    
    This potential exposure is added by PR #1542 where security risks was
    described in "possible drawbacks" section.
    
    Also, sprig func map is now initialized due module initialization and
    reusing for rendering, which may improve performance.
    
    In fact is just port of the
    [argocd](https://github.com/argoproj/argo-cd/blob/v2.11.3/applicationset/utils/utils.go#L31-L34
    
    )
    solution, which described in initial PR #1542
    
    **Benefits**
    
    - Fix potential controller sensitive data exposure
    - Improve rendering performance
    
    **Possible drawbacks**
    
    No one
    
    **Applicable issues**
    
    <!-- Enter any applicable Issues here (You can reference an issue using
    #) -->
    
    **Additional information**
    
    <!-- If there's anything else that's important and relevant to your pull
    request, mention that information here.-->
    
    Signed-off-by: default avatarArtur Kraev <ravenox@gmail.com>
Loading