Skip to content

Commit

Permalink
[Bot] docs: Update Snyk reports (argoproj#20052)
Browse files Browse the repository at this point in the history 
Signed-off-by: CI <ci@argoproj.com>
Co-authored-by: CI <ci@argoproj.com>
  • Loading branch information
@github-actions
github-actions[bot] and CI committed Sep 24, 2024
1 parent 0710ff9 commit e1429f8
Show file tree
Hide file tree
Showing 39 changed files with 12,311 additions and 251 deletions.
28 changes: 21 additions & 7 deletions docs/snyk/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,21 +14,35 @@ recent minor releases.
| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](master/argocd-test.html) | 0 | 0 | 1 | 0 |
| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 2 | 0 |
| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 1 | 0 |
| [dex:v2.41.1](master/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 1 |
| [haproxy:2.6.17-alpine](master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 |
| [redis:7.0.15-alpine](master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 4 | 8 |
| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 3 | 8 |
| [redis:7.0.15-alpine](master/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |

### v2.13.0-rc2

| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.13.0-rc2/argocd-test.html) | 0 | 0 | 1 | 0 |
| [ui/yarn.lock](v2.13.0-rc2/argocd-test.html) | 0 | 0 | 1 | 0 |
| [dex:v2.41.1](v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 1 |
| [haproxy:2.6.17-alpine](v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 |
| [redis:7.0.15-alpine](v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [argocd:v2.13.0-rc2](v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html) | 0 | 0 | 3 | 8 |
| [redis:7.0.15-alpine](v2.13.0-rc2/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [install.yaml](v2.13.0-rc2/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](v2.13.0-rc2/argocd-iac-namespace-install.html) | - | - | - | - |

### v2.12.3

| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.12.3/argocd-test.html) | 0 | 0 | 2 | 0 |
| [ui/yarn.lock](v2.12.3/argocd-test.html) | 0 | 0 | 2 | 0 |
| [ui/yarn.lock](v2.12.3/argocd-test.html) | 0 | 1 | 2 | 0 |
| [dex:v2.38.0](v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 6 |
| [haproxy:2.6.17-alpine](v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 |
| [redis:7.0.15-alpine](v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
Expand All @@ -42,10 +56,10 @@ recent minor releases.
| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.11.8/argocd-test.html) | 0 | 1 | 3 | 0 |
| [ui/yarn.lock](v2.11.8/argocd-test.html) | 0 | 0 | 2 | 0 |
| [ui/yarn.lock](v2.11.8/argocd-test.html) | 0 | 1 | 2 | 0 |
| [dex:v2.38.0](v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 6 |
| [haproxy:2.6.14-alpine](v2.11.8/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 6 |
| [argocd:v2.11.8](v2.11.8/quay.io_argoproj_argocd_v2.11.8.html) | 0 | 0 | 7 | 16 |
| [argocd:v2.11.8](v2.11.8/quay.io_argoproj_argocd_v2.11.8.html) | 0 | 0 | 8 | 16 |
| [redis:7.0.15-alpine](v2.11.8/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [install.yaml](v2.11.8/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](v2.11.8/argocd-iac-namespace-install.html) | - | - | - | - |
Expand All @@ -55,10 +69,10 @@ recent minor releases.
| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.10.16/argocd-test.html) | 0 | 1 | 4 | 0 |
| [ui/yarn.lock](v2.10.16/argocd-test.html) | 0 | 0 | 2 | 0 |
| [ui/yarn.lock](v2.10.16/argocd-test.html) | 0 | 1 | 2 | 0 |
| [dex:v2.37.0](v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 10 | 6 |
| [haproxy:2.6.14-alpine](v2.10.16/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 6 |
| [argocd:v2.10.16](v2.10.16/quay.io_argoproj_argocd_v2.10.16.html) | 0 | 0 | 11 | 20 |
| [argocd:v2.10.16](v2.10.16/quay.io_argoproj_argocd_v2.10.16.html) | 0 | 0 | 12 | 20 |
| [redis:7.0.15-alpine](v2.10.16/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [install.yaml](v2.10.16/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](v2.10.16/argocd-iac-namespace-install.html) | - | - | - | - |
2 changes: 1 addition & 1 deletion docs/snyk/master/argocd-iac-install.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:20:57 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:21:06 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>
Expand Down
2 changes: 1 addition & 1 deletion docs/snyk/master/argocd-iac-namespace-install.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:21:06 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:21:16 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>
Expand Down
89 changes: 8 additions & 81 deletions docs/snyk/master/argocd-test.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="3 known vulnerabilities found in 5 vulnerable dependency paths.">
<meta name="description" content="2 known vulnerabilities found in 4 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
Expand Down Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:18:53 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:18:54 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
Expand All @@ -467,8 +467,8 @@ <h1 class="project__header__title">Snyk test report</h1>
</div>

<div class="meta-counts">
<div class="meta-count"><span>3</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>5 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>4 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2132</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
Expand Down Expand Up @@ -561,7 +561,7 @@ <h3 class="card__section__title">Detailed paths</h3>
<h2 id="overview">Overview</h2>
<p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression <code>/^\/([^\/]+?)-([^\/]+?)\/?$/</code>, if two parameters within a single segment are separated by a character other than a <code>/</code> or <code>.</code>. Poor performance will block the event loop and can lead to a DoS.</p>
<p><strong>Note:</strong>
Version 0.1.10 is patched to mitigate this but is also vulnerable if custom regular expressions are used. Due to the existence of this attack vector, the Snyk security team have decided to err on the side of caution in considering the very widely-used v0 branch vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.</p>
While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the <code>strict</code> option, which returns an error if a dangerous regular expression is detected.</p>
<h2 id="workaround">Workaround</h2>
<p>This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes <code>-</code> and <code>/</code>.</p>
<h2 id="poc">PoC</h2>
Expand Down Expand Up @@ -629,11 +629,13 @@ <h2 id="details">Details</h2>
</tbody></table>
<p>By the time the string includes 14 C&#39;s, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>path-to-regexp</code> to version 8.0.0 or higher.</p>
<p>Upgrade <code>path-to-regexp</code> to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f">GitHub Commit</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6">GitHub Commit</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/f73ec6c86b06f544b977119c2b62a16de480a6a9">GitHub Commit</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0">Strict Mode Release Note</a></li>
<li><a href="https://blakeembrey.com/posts/2024-09-web-redos/">Vulnerability Write-up</a></li>
</ul>

Expand Down Expand Up @@ -735,81 +737,6 @@ <h2 id="references">References</h2>
</div>

</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">Template Injection</h2>
<div class="card__section">

<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>

<hr/>

<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd <span class="list-paths__item__arrow"></span> ui/yarn.lock
</li>
<li class="card__meta__item">
Package Manager: npm
</li>
<li class="card__meta__item">
Vulnerable module:

dompurify
</li>

<li class="card__meta__item">Introduced through:


argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others
</li>
</ul>

<hr/>


<h3 class="card__section__title">Detailed paths</h3>

<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
redoc@2.0.0-rc.64
<span class="list-paths__item__arrow"></span>
dompurify@2.3.6

</span>

</li>
</ul><!-- .list-paths -->

</div><!-- .card__section -->

<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://github.com/cure53/DOMPurify">dompurify</a> is a DOM-only XSS sanitizer for HTML, MathML and SVG.</p>
<p>Affected versions of this package are vulnerable to Template Injection in <code>purify.js</code>, due to inconsistencies in the parsing of XML and HTML tags. Executable code can be injected in HTML inside XML <code>CDATA</code> blocks.</p>
<h2 id="poc">PoC</h2>
<pre><code>&lt;![CDATA[ &gt;&lt;img src onerror=alert(1)&gt; ]]&gt;
</code></pre>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>dompurify</code> to version 2.4.9, 3.0.11 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/cure53/DOMPurify/commit/0940755eacc86e48fd57ee90e9238964034c49b7">GitHub Commit</a></li>
<li><a href="https://github.com/cure53/DOMPurify/commit/c60a4dfdabc50fe67b758f1efff8c03d2b8c5472">GitHub Commit</a></li>
<li><a href="https://flatt.tech/research/posts/bypassing-dompurify-with-good-old-xml/">Vulnerability Report</a></li>
</ul>

<hr/>

<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-JS-DOMPURIFY-6474511">More about this vulnerability</a></p>
</div>

</div><!-- .card -->
</div><!-- cards -->
</div>
</main><!-- .layout-stacked__content -->
Expand Down
2 changes: 1 addition & 1 deletion docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:19:03 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:19:01 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
Expand Down
2 changes: 1 addition & 1 deletion docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:19:08 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:19:15 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>
Expand Down
2 changes: 1 addition & 1 deletion docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:19:12 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:19:21 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
Expand Down
Loading

0 comments on commit e1429f8

Please sign in to comment.