Affected by GO-2022-0304 and 30 other vulnerabilities

GO-2022-0304: Path traversal and dereference of symlinks in Argo CD in github.com/argoproj/argo-cd

GO-2022-0357: Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2022-0358: Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2022-0359: Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd

GO-2022-0387: Helm OCI credentials leaked into Argo CD logs in github.com/argoproj/argo-cd

GO-2022-0453: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2022-0454: Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd

GO-2022-0455: Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd

GO-2022-0495: DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd

GO-2022-0497: Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd

GO-2022-0498: Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd

GO-2022-0499: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2022-0516: Argo CD improper access control bug can allow malicious user to escalate privileges to admin level in github.com/argoproj/argo-cd

GO-2022-0517: Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd

GO-2022-0518: Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd

GO-2022-0869: Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd

GO-2023-1512: Controller reconciles apps outside configured namespaces when sharding is enabled in github.com/argoproj/argo-cd

GO-2023-1577: Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd

GO-2023-1670: Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd

GO-2023-2018: Argo CD web terminal session doesn't expire in github.com/argoproj/argo-cd

GO-2023-2049: Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd

GO-2023-2050: Argo CD repo-server Denial of Service vulnerability in github.com/argoproj/argo-cd

GO-2023-2085: Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2024-2646: Cross-site scripting on application summary component in github.com/argoproj/argo-cd/v2

GO-2024-2728: Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd

GO-2024-2792: Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd

GO-2024-2877: ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd

GO-2024-2898: Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd

GO-2024-2902: Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd

GO-2024-3002: Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd

GO-2024-3006: The Argo CD web terminal session does not handle the revocation of user permissions properly in github.com/argoproj/argo-cd

The highest tagged major version is v2.

session

package

v1.5.4 Latest Latest Go to latest Published: May 5, 2020 License: Apache-2.0 Imports: 12 Imported by: 52

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/argoproj/argo-cd

Links

Open Source Insights

Documentation ¶

Index ¶

func NewLoginRateLimiter(storage stateStorage, maxNumber int) func() (util.Closer, error)
func NewRedisStateStorage(client *redis.Client) *redisStateStorage
type Authenticator
type Server
- func NewServer(mgr *sessionmgr.SessionManager, authenticator Authenticator, ...) *Server

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewLoginRateLimiter ¶ added in v1.5.3

func NewLoginRateLimiter(storage stateStorage, maxNumber int) func() (util.Closer, error)

NewLoginRateLimiter creates a function which enforces max number of concurrent login requests. Function returns closer that should be closed when loging request has completed or error if number of incomplete requests exceeded max number.

func NewRedisStateStorage ¶ added in v1.5.3

func NewRedisStateStorage(client *redis.Client) *redisStateStorage

NewRedisStateStorage creates storage which leverages redis to establish distributed lock and store number of incomplete login requests.

Types ¶

type Authenticator ¶ added in v1.2.4

type Authenticator interface {
	Authenticate(ctx context.Context) (context.Context, error)
}

type Server ¶

type Server struct {
	// contains filtered or unexported fields
}

Server provides a Session service

func NewServer ¶

func NewServer(mgr *sessionmgr.SessionManager, authenticator Authenticator, rateLimiter func() (util.Closer, error)) *Server

NewServer returns a new instance of the Session service

func (*Server) AuthFuncOverride ¶

func (s *Server) AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error)

AuthFuncOverride overrides the authentication function and let us not require auth to receive auth. Without this function here, ArgoCDServer.authenticate would be invoked and credentials checked. Since this service is generally invoked when the user has _no_ credentials, that would create a chicken-and-egg situation if we didn't place this here to allow traffic to pass through.

func (*Server) Create ¶

func (s *Server) Create(_ context.Context, q *session.SessionCreateRequest) (*session.SessionResponse, error)

Create generates a JWT token signed by Argo CD intended for web/CLI logins of the admin user using username/password

func (*Server) Delete ¶

func (s *Server) Delete(ctx context.Context, q *session.SessionDeleteRequest) (*session.SessionResponse, error)

Delete an authentication cookie from the client. This makes sense only for the Web client.

func (*Server) GetUserInfo ¶ added in v1.2.4

func (s *Server) GetUserInfo(ctx context.Context, q *session.GetUserInfoRequest) (*session.GetUserInfoResponse, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL