Affected by GO-2022-0304 and 22 other vulnerabilities

GO-2022-0304: Path traversal and dereference of symlinks in Argo CD in github.com/argoproj/argo-cd

GO-2022-0357: Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2022-0358: Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2022-0359: Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd

GO-2022-0453: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2022-0454: Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd

GO-2022-0455: Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd

GO-2022-0495: DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd

GO-2022-0497: Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd

GO-2022-0498: Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd

GO-2022-0499: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2022-0516: Argo CD improper access control bug can allow malicious user to escalate privileges to admin level in github.com/argoproj/argo-cd

GO-2022-0518: Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd

GO-2023-1520: JWT audience claim is not verified in github.com/argoproj/argo-cd

GO-2023-1670: Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd

GO-2023-2085: Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2024-2646: Cross-site scripting on application summary component in github.com/argoproj/argo-cd/v2

GO-2024-2792: Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd

GO-2024-2877: ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd

GO-2024-2898: Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd

GO-2024-3002: Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd

GO-2025-3427: ArgoCD Namespace Isolation Break in github.com/argoproj/argo-cd

GO-2025-3433: Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd

server

package

v2.0.2 Latest Latest Go to latest Published: May 20, 2021 License: Apache-2.0 Imports: 96 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/argoproj/argo-cd

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type ArgoCDServer
- func NewServer(ctx context.Context, opts ArgoCDServerOpts) *ArgoCDServer
type ArgoCDServerOpts

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrNoSession = status.Errorf(codes.Unauthenticated, "no session information")

ErrNoSession indicates no auth token was supplied as part of a request

Functions ¶

This section is empty.

Types ¶

type ArgoCDServer ¶

type ArgoCDServer struct {
	ArgoCDServerOpts
	// contains filtered or unexported fields
}

ArgoCDServer is the API server for Argo CD

func NewServer ¶

func NewServer(ctx context.Context, opts ArgoCDServerOpts) *ArgoCDServer

NewServer returns a new instance of the Argo CD API server

func (*ArgoCDServer) Authenticate ¶

func (a *ArgoCDServer) Authenticate(ctx context.Context) (context.Context, error)

Authenticate checks for the presence of a valid token when accessing server-side resources.

func (*ArgoCDServer) Run ¶

func (a *ArgoCDServer) Run(ctx context.Context, port int, metricsPort int)

Run runs the API Server We use k8s.io/code-generator/cmd/go-to-protobuf to generate the .proto files from the API types. k8s.io/ go-to-protobuf uses protoc-gen-gogo, which comes from gogo/protobuf (a fork of golang/protobuf).

func (*ArgoCDServer) Shutdown ¶

func (a *ArgoCDServer) Shutdown()

Shutdown stops the Argo CD server

type ArgoCDServerOpts ¶

type ArgoCDServerOpts struct {
	DisableAuth         bool
	EnableGZip          bool
	Insecure            bool
	ListenPort          int
	MetricsPort         int
	Namespace           string
	DexServerAddr       string
	StaticAssetsDir     string
	BaseHRef            string
	RootPath            string
	KubeClientset       kubernetes.Interface
	AppClientset        appclientset.Interface
	RepoClientset       repoapiclient.Clientset
	Cache               *servercache.Cache
	RedisClient         *redis.Client
	TLSConfigCustomizer tlsutil.ConfigCustomizer
	XFrameOptions       string
}

Source Files ¶

View all Source files

server.go

Directories ¶

Path	Synopsis
account
application
badge
cache
certificate
cluster
gpgkey
logout
metrics
project
rbacpolicy
repocreds
repository
session
settings
oidc
version

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL