Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 1.17.0
Affects Version/s: None
Component/s: None
Labels:
None

Story Points:
5
Epic Link:
SAST scan results analysis
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

Sprint:
GitOps Scarlet Sprint 15, GitOps Scarlet Sprint 16

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of Problem

Error: PATH_MANIPULATION (CWE-22): [#def37] [important]

argo_cd/app/server/server.go:1410:3: taint: The field "r.URL" is a source of untrusted data.
argo_cd/app/server/server.go:1410:3: sink: Calling "uiAssetExists". This call uses "r.URL.Path" for sensitive computation.
argo_cd/app/server/server.go:1387:12: identity: Calling "Trim". This call assigns "filename" to "<return value>".
argo_cd/app/server/server.go:1387:12: sink: Calling "Open". This call uses "Trim(filename, "/")" for sensitive computation. (The interface method resolves to "http.Dir.Open(string)".)
argo_cd/app/server/server.go:1410:3:
# 1408|           }
# 1409|   
# 1410|->         fileRequest := r.URL.Path != "/index.html" && server.uiAssetExists(r.URL.Path)
# 1411|   
# 1412|           // Set X-Frame-Options according to configuration

Error: PATH_MANIPULATION (CWE-22): [#def1] [important]

argo_rollouts/app/server/server_static.go:30:2: taint: The field "r.RequestURI" is a source of untrusted data.
argo_rollouts/app/server/server_static.go:30:2: identity: Calling "Clean". This call assigns "r.RequestURI" to "<return value>". Now "<return value>" is tainted.
argo_rollouts/app/server/server_static.go:30:2: assign: Assigning: "requestedURI" = "Clean(r.RequestURI)".
argo_rollouts/app/server/server_static.go:44:2: identity: Calling "TrimPrefix". This call assigns "requestedURI" to "<return value>". Now "<return value>" is tainted.
argo_rollouts/app/server/server_static.go:44:2: assign: Assigning: "<storage from new>[1]" = "TrimPrefix(requestedURI, rootPath)".
argo_rollouts/app/server/server_static.go:44:2: identity: Calling "Join". This call assigns "{staticBasePath, TrimPrefix(requestedURI, rootPath)}" to "<return value>". Now "<return value>" is tainted.
argo_rollouts/app/server/server_static.go:44:2: assign: Assigning: "embedPath" = "Join(staticBasePath, TrimPrefix(requestedURI, rootPath))".
argo_rollouts/app/server/server_static.go:51:20: sink: Calling "ReadFile". This call uses "embedPath" for sensitive computation.
argo_rollouts/app/server/server_static.go:51:20:
#   49|       }
#   50|   
#   51|->     fileBytes, err := static.ReadFile(embedPath)
#   52|       if err != nil {
#   53|           if fileNotExistsOrIsDirectoryError(err) {

Problem Reproduction

SAST scan results from v1.16.0-15 RC

Fix Approaches

Remediation: Path manipulation vulnerabilities can be addressed by proper input validation. Disallowing directory traversal characters (using a deny list) can improve the safety of the input, but the recommended approach is to restrict to a specific set of allowed characters (using an allow list). This should exclude absolute paths and upward directory traversal.

Acceptance Criteria

SAST scan results for the next release do not contain CWE 22

clones

GITOPS-6629 SAST Scan Result: SIGMA.container_storing_secret_in_environment_variable (CWE-526)

Closed

Assignee:: Jayendra Parsai

Reporter:: Varsha B

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/03/21 6:32 AM

Updated:: 2025/07/23 9:20 AM

Resolved:: 2025/06/02 4:00 PM

Details

Description

Description of Problem

Problem Reproduction

Fix Approaches

Acceptance Criteria

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates