actions

Feb 20, 2024 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Feb 19, 2024 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Feb 14, 2024 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Feb 5, 2024 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jan 22, 2024 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jan 21, 2024 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jan 15, 2024 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jan 8, 2024 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jan 4, 2024 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jan 3, 2024 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Dec 24, 2023 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Dec 10, 2023 GO-2024-2581

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Changes in this version

type Config

+ Env struct{ ... }

+ type EnvGetter interface

+ Lookup func(name string) (string, bool)

+ type EnvironmentVariableGetter struct

+ Enabled bool

+ Prefix string

+ func NewEnvironmentVariableGetter(envEnabled bool, prefix string) *EnvironmentVariableGetter

+ func (o *EnvironmentVariableGetter) Lookup(name string) (string, bool)

Nov 30, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Nov 13, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Changes in this version

+ var File_actions_actions_proto protoreflect.FileDescriptor

Oct 25, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Oct 19, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Oct 15, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Oct 8, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Oct 8, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Oct 4, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Oct 3, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Oct 1, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Sep 14, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Sep 10, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Aug 29, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Aug 24, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Aug 20, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Aug 16, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Aug 15, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Aug 14, 2023 GO-2023-2397 +1 more

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Aug 8, 2023 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jun 18, 2023 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jun 9, 2023 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jun 4, 2023 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jun 1, 2023 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jun 1, 2023 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

May 21, 2023 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

May 21, 2023 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

May 10, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Changes in this version

+ var ErrIfExprNotBool = errors.New("hook 'if' expression should evaluate to a boolean")

type ActionHook

+ If string

type Task

+ If string

Apr 24, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Apr 19, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Changes in this version

+ type Config struct

+ Enabled bool

+ Lua struct{ ... }

type HookBase

+ Config Config

Apr 5, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 29, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 29, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 28, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 28, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 26, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 22, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 22, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 22, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 22, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 9, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 9, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Mar 6, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Feb 26, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Feb 23, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Feb 8, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Feb 7, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Feb 2, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jan 29, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jan 22, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jan 17, 2023 GO-2023-2012 +3 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

  GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

Jan 8, 2023 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Dec 22, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Dec 14, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Dec 13, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Changes in this version

+ func DescendArgs(args interface{}) (descended interface{}, err error)

+ func LuaRun(l *lua.State, code, name string) error

type Hook

+ func NewLuaHook(h ActionHook, action *Action, e *http.Server) (Hook, error)

type HookBase

+ Endpoint *http.Server

type HookType

+ const HookTypeLua

+ type LuaHook struct

+ Args map[string]interface{}

+ Script string

+ ScriptPath string

+ func (h *LuaHook) Run(ctx context.Context, record graveler.HookRecord, buf *bytes.Buffer) error

type StoreService

+ func (s *StoreService) SetEndpoint(h *http.Server)

Nov 24, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Nov 16, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Nov 8, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Oct 24, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Oct 12, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Oct 4, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Oct 3, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Sep 22, 2022 GO-2023-2012 +2 more

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Oct 9, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Sep 5, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Sep 4, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Aug 30, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Aug 23, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Aug 23, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Aug 22, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Aug 17, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Aug 11, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Aug 3, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jul 14, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jul 11, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jun 21, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jun 15, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Changes in this version

+ const PartitionKey

+ const RunsPrefix

+ var ErrNilValue = errors.New("nil value")

+ var ErrParamConflict = errors.New("parameters conflict")

+ var File_actions_proto protoreflect.FileDescriptor

+ func BaseActionsPath(repoID string) string

+ func ByBranchPath(repoID, branchID string) string

+ func ByCommitPath(repoID, commitID string) string

+ func Migrate(ctx context.Context, d *pgxpool.Pool, writer io.Writer) error

+ func RunByBranchPath(repoID, branchID, runID string) string

+ func RunByCommitPath(repoID, commitID, runID string) string

+ func RunPath(repoID, runID string) string

+ func TasksPath(repoID, runID string) string

+ type DBStore struct

+ func (dbs *DBStore) GetRunResult(ctx context.Context, repositoryID, runID string) (*RunResult, error)

+ func (dbs *DBStore) GetTaskResult(ctx context.Context, repositoryID string, runID string, hookRunID string) (*TaskResult, error)

+ func (dbs *DBStore) ListRunResults(ctx context.Context, repositoryID string, branchID, commitID string, ...) (RunResultIterator, error)

+ func (dbs *DBStore) ListRunTaskResults(ctx context.Context, repositoryID string, runID string, after string) (TaskResultIterator, error)

+ func (dbs *DBStore) UpdateCommitID(ctx context.Context, repositoryID string, runID string, commitID string) (*RunManifest, error)

+ type DecreasingIDGenerator struct

+ func (gen *DecreasingIDGenerator) NewRunID() string

+ type IDGenerator interface

+ NewRunID func() string

+ type IncreasingIDGenerator struct

+ func (gen *IncreasingIDGenerator) NewRunID() string

+ type KVRunResultIterator struct

+ func NewKVRunResultIterator(ctx context.Context, store kv.StoreMessage, ...) (*KVRunResultIterator, error)

+ func (i *KVRunResultIterator) Close()

+ func (i *KVRunResultIterator) Err() error

+ func (i *KVRunResultIterator) Next() bool

+ func (i *KVRunResultIterator) Value() *RunResult

+ type KVStore struct

+ func (kvs *KVStore) GetRunResult(ctx context.Context, repositoryID string, runID string) (*RunResult, error)

+ func (kvs *KVStore) GetTaskResult(ctx context.Context, repositoryID string, runID string, hookRunID string) (*TaskResult, error)

+ func (kvs *KVStore) ListRunResults(ctx context.Context, repositoryID string, branchID, commitID string, ...) (RunResultIterator, error)

+ func (kvs *KVStore) ListRunTaskResults(ctx context.Context, repositoryID string, runID string, after string) (TaskResultIterator, error)

+ func (kvs *KVStore) UpdateCommitID(ctx context.Context, repositoryID string, runID string, commitID string) (*RunManifest, error)

+ type KVTaskResultIterator struct

+ func NewKVTaskResultIterator(ctx context.Context, store kv.StoreMessage, repositoryID, runID, after string) (*KVTaskResultIterator, error)

+ func (i *KVTaskResultIterator) Close()

+ func (i *KVTaskResultIterator) Err() error

+ func (i *KVTaskResultIterator) Next() bool

+ func (i *KVTaskResultIterator) Value() *TaskResult

type RunResult

+ func RunResultFromProto(pb *RunResultData) *RunResult

+ type RunResultData struct

+ BranchId string

+ CommitId string

+ EndTime *timestamppb.Timestamp

+ EventType string

+ Passed bool

+ RunId string

+ SourceRef string

+ StartTime *timestamppb.Timestamp

+ func (*RunResultData) Descriptor() ([]byte, []int)

+ func (*RunResultData) ProtoMessage()

+ func (x *RunResultData) GetBranchId() string

+ func (x *RunResultData) GetCommitId() string

+ func (x *RunResultData) GetEndTime() *timestamppb.Timestamp

+ func (x *RunResultData) GetEventType() string

+ func (x *RunResultData) GetPassed() bool

+ func (x *RunResultData) GetRunId() string

+ func (x *RunResultData) GetSourceRef() string

+ func (x *RunResultData) GetStartTime() *timestamppb.Timestamp

+ func (x *RunResultData) ProtoReflect() protoreflect.Message

+ func (x *RunResultData) Reset()

+ func (x *RunResultData) String() string

+ type Store interface

+ GetRunResult func(ctx context.Context, repositoryID string, runID string) (*RunResult, error)

+ GetTaskResult func(ctx context.Context, repositoryID string, runID string, hookRunID string) (*TaskResult, error)

+ ListRunResults func(ctx context.Context, repositoryID string, branchID, commitID string, ...) (RunResultIterator, error)

+ ListRunTaskResults func(ctx context.Context, repositoryID string, runID string, after string) (TaskResultIterator, error)

+ UpdateCommitID func(ctx context.Context, repositoryID string, runID string, commitID string) (*RunManifest, error)

+ func NewActionsDBStore(db db.Database) Store

+ func NewActionsKVStore(store kv.StoreMessage) Store

+ type StoreService struct

+ Source Source

+ Store Store

+ Writer OutputWriter

+ func (s *StoreService) GetRunResult(ctx context.Context, repositoryID string, runID string) (*RunResult, error)

+ func (s *StoreService) GetTaskResult(ctx context.Context, repositoryID string, runID string, hookRunID string) (*TaskResult, error)

+ func (s *StoreService) ListRunResults(ctx context.Context, repositoryID string, branchID, commitID string, ...) (RunResultIterator, error)

+ func (s *StoreService) ListRunTaskResults(ctx context.Context, repositoryID string, runID string, after string) (TaskResultIterator, error)

+ func (s *StoreService) NewRunID() string

+ func (s *StoreService) PostCommitHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *StoreService) PostCreateBranchHook(_ context.Context, record graveler.HookRecord)

+ func (s *StoreService) PostCreateTagHook(_ context.Context, record graveler.HookRecord)

+ func (s *StoreService) PostDeleteBranchHook(_ context.Context, record graveler.HookRecord)

+ func (s *StoreService) PostDeleteTagHook(_ context.Context, record graveler.HookRecord)

+ func (s *StoreService) PostMergeHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *StoreService) PreCommitHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *StoreService) PreCreateBranchHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *StoreService) PreCreateTagHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *StoreService) PreDeleteBranchHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *StoreService) PreDeleteTagHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *StoreService) PreMergeHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *StoreService) Run(ctx context.Context, record graveler.HookRecord) error

+ func (s *StoreService) Stop()

+ func (s *StoreService) UpdateCommitID(ctx context.Context, repositoryID string, storageNamespace string, ...) error

+ type TaskResultData struct

+ ActionName string

+ EndTime *timestamppb.Timestamp

+ HookId string

+ HookRunId string

+ Passed bool

+ RunId string

+ StartTime *timestamppb.Timestamp

+ func (*TaskResultData) Descriptor() ([]byte, []int)

+ func (*TaskResultData) ProtoMessage()

+ func (x *TaskResultData) GetActionName() string

+ func (x *TaskResultData) GetEndTime() *timestamppb.Timestamp

+ func (x *TaskResultData) GetHookId() string

+ func (x *TaskResultData) GetHookRunId() string

+ func (x *TaskResultData) GetPassed() bool

+ func (x *TaskResultData) GetRunId() string

+ func (x *TaskResultData) GetStartTime() *timestamppb.Timestamp

+ func (x *TaskResultData) ProtoReflect() protoreflect.Message

+ func (x *TaskResultData) Reset()

+ func (x *TaskResultData) String() string

May 25, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

May 17, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Changes in this version

type Airflow

+ Timeout time.Duration

+ WaitForDAG bool

Apr 29, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Apr 17, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Apr 3, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Changes in this version

+ var ErrInvalidEventParameter = errors.New("invalid event parameter")

type EventInfo

+ CommitID string

+ TagID string

type Service

+ func (s *Service) PostCreateBranchHook(_ context.Context, record graveler.HookRecord)

+ func (s *Service) PostCreateTagHook(_ context.Context, record graveler.HookRecord)

+ func (s *Service) PostDeleteBranchHook(_ context.Context, record graveler.HookRecord)

+ func (s *Service) PostDeleteTagHook(_ context.Context, record graveler.HookRecord)

+ func (s *Service) PreCreateBranchHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *Service) PreCreateTagHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *Service) PreDeleteBranchHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *Service) PreDeleteTagHook(ctx context.Context, record graveler.HookRecord) error

Mar 7, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Feb 28, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Feb 27, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Feb 15, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Feb 8, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jan 26, 2022 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Dec 26, 2021 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Dec 20, 2021 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Dec 16, 2021 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Dec 5, 2021 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Nov 17, 2021 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Nov 8, 2021 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Oct 27, 2021 GO-2022-1019 +3 more

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Oct 25, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Oct 10, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Oct 4, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Oct 4, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Sep 14, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Sep 5, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Sep 2, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Sep 2, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Aug 22, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Changes in this version

+ const HeadersPropertyKey

+ type SecureString struct

+ func NewSecureString(s string) (SecureString, error)

+ func (s SecureString) String() string

type Webhook

+ Headers map[string]SecureString

Jul 28, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Changes in this version

+ type Airflow struct

+ DAGConf map[string]interface{}

+ DagID string

+ Password string

+ URL string

+ Username string

+ func (a *Airflow) Run(ctx context.Context, record graveler.HookRecord, writer *HookOutputWriter) error

+ type DagRunReq struct

+ Conf map[string]interface{}

+ DagRunID string

+ type EventInfo struct

+ ActionName string

+ BranchID string

+ CommitMessage string

+ CommitMetadata map[string]string

+ Committer string

+ EventTime string

+ EventType string

+ HookID string

+ RepositoryID string

+ SourceRef string

type Hook

+ func NewAirflowHook(h ActionHook, action *Action) (Hook, error)

+ type HookBase struct

+ ActionName string

+ ID string

type HookType

+ const HookTypeAirflow

+ type Properties map[string]interface

Jul 19, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jul 19, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Changes in this version

type OnEvents

+ PostCommit *ActionOn

+ PostMerge *ActionOn

type Service

+ func (s *Service) Stop()

Jul 7, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jul 7, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jul 1, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jun 24, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jun 8, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

May 30, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

May 12, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

May 3, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Apr 25, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Apr 20, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Apr 20, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Mar 17, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Changes in this version

+ const LogOutputExtension

+ const LogOutputLocation

+ var ErrInvalidAction = errors.New("invalid action")

+ var ErrInvalidEventType = errors.New("invalid event type")

+ var ErrIteratorClosed = errors.New("iterator closed")

+ var ErrNotFound = errors.New("not found")

+ var ErrUnknownHookType = errors.New("unknown hook type")

+ var ErrWebhookRequestFailed = errors.New("webhook request failed")

+ var ErrWebhookWrongFormat = errors.New("webhook wrong format")

+ func FormatHookOutputPath(runID, hookRunID string) string

+ func FormatRunManifestOutputPath(runID string) string

+ func NewHookRunID(actionIdx, hookIdx int) string

+ type Action struct

+ Description string

+ Hooks []ActionHook

+ Name string

+ On OnEvents

+ func LoadActions(ctx context.Context, source Source, record graveler.HookRecord) ([]*Action, error)

+ func MatchedActions(actions []*Action, spec MatchSpec) ([]*Action, error)

+ func ParseAction(data []byte) (*Action, error)

+ func (a *Action) Match(spec MatchSpec) (bool, error)

+ func (a *Action) Validate() error

+ type ActionHook struct

+ Description string

+ ID string

+ Properties map[string]interface{}

+ Type HookType

+ type ActionOn struct

+ Branches []string

+ type DBRunResultIterator struct

+ func NewDBRunResultIterator(ctx context.Context, db db.Database, fetchSize int, repositoryID string, ...) *DBRunResultIterator

+ func (it *DBRunResultIterator) Close()

+ func (it *DBRunResultIterator) Err() error

+ func (it *DBRunResultIterator) Next() bool

+ func (it *DBRunResultIterator) Value() *RunResult

+ type DBTaskResultIterator struct

+ func NewDBTaskResultIterator(ctx context.Context, db db.Database, fetchSize int, ...) *DBTaskResultIterator

+ func (it *DBTaskResultIterator) Close()

+ func (it *DBTaskResultIterator) Err() error

+ func (it *DBTaskResultIterator) Next() bool

+ func (it *DBTaskResultIterator) Value() *TaskResult

+ type Hook interface

+ Run func(ctx context.Context, record graveler.HookRecord, writer *HookOutputWriter) error

+ func NewHook(h ActionHook, a *Action) (Hook, error)

+ func NewWebhook(h ActionHook, action *Action) (Hook, error)

+ type HookOutputWriter struct

+ ActionName string

+ HookID string

+ HookRunID string

+ RunID string

+ StorageNamespace string

+ Writer OutputWriter

+ func (h *HookOutputWriter) OutputWrite(ctx context.Context, reader io.Reader, size int64) error

+ type HookType string

+ const HookTypeWebhook

+ type MatchSpec struct

+ BranchID graveler.BranchID

+ EventType graveler.EventType

+ type NewHookFunc func(ActionHook, *Action) (Hook, error)

+ type OnEvents struct

+ PreCommit *ActionOn

+ PreMerge *ActionOn

+ type OutputWriter interface

+ OutputWrite func(ctx context.Context, storageNamespace, name string, reader io.Reader, ...) error

+ type RunManifest struct

+ HooksRun []TaskResult

+ Run RunResult

+ type RunResult struct

+ BranchID string

+ CommitID string

+ EndTime time.Time

+ EventType string

+ Passed bool

+ RunID string

+ SourceRef string

+ StartTime time.Time

+ type RunResultIterator interface

+ Close func()

+ Err func() error

+ Next func() bool

+ Value func() *RunResult

+ type Service struct

+ DB db.Database

+ Source Source

+ Writer OutputWriter

+ func NewService(db db.Database, source Source, writer OutputWriter) *Service

+ func (s *Service) GetRunResult(ctx context.Context, repositoryID string, runID string) (*RunResult, error)

+ func (s *Service) GetTaskResult(ctx context.Context, repositoryID string, runID string, hookRunID string) (*TaskResult, error)

+ func (s *Service) ListRunResults(ctx context.Context, repositoryID string, branchID, commitID string, ...) (RunResultIterator, error)

+ func (s *Service) ListRunTaskResults(ctx context.Context, repositoryID string, runID string, after string) (TaskResultIterator, error)

+ func (s *Service) PostCommitHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *Service) PostMergeHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *Service) PreCommitHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *Service) PreMergeHook(ctx context.Context, record graveler.HookRecord) error

+ func (s *Service) Run(ctx context.Context, record graveler.HookRecord) error

+ func (s *Service) UpdateCommitID(ctx context.Context, repositoryID string, storageNamespace string, ...) error

+ type Source interface

+ List func(ctx context.Context, record graveler.HookRecord) ([]string, error)

+ Load func(ctx context.Context, record graveler.HookRecord, name string) ([]byte, error)

+ type Task struct

+ Action *Action

+ EndTime time.Time

+ Err error

+ Hook Hook

+ HookID string

+ HookRunID string

+ RunID string

+ StartTime time.Time

+ type TaskResult struct

+ ActionName string

+ EndTime time.Time

+ HookID string

+ HookRunID string

+ Passed bool

+ RunID string

+ StartTime time.Time

+ func (r *TaskResult) LogPath() string

+ type TaskResultIterator interface

+ Close func()

+ Err func() error

+ Next func() bool

+ Value func() *TaskResult

+ type Webhook struct

+ ActionName string

+ ID string

+ QueryParams map[string][]string

+ Timeout time.Duration

+ URL string

+ func (w *Webhook) Run(ctx context.Context, record graveler.HookRecord, writer *HookOutputWriter) (err error)

+ type WebhookEventInfo struct

+ ActionName string

+ BranchID string

+ CommitMessage string

+ CommitMetadata map[string]string

+ Committer string

+ EventTime string

+ EventType string

+ HookID string

+ RepositoryID string

+ SourceRef string

Mar 29, 2022 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jan 25, 2022 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jan 25, 2022 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Jan 25, 2022 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

Dec 26, 2021 GO-2022-0375 +4 more

  GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

  GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

  GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

  GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

  GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs