From e7cd0944a61fe89dff22930ee70317f121d0eef3 Mon Sep 17 00:00:00 2001 From: Tsubasa Umeuchi Date: Fri, 10 Jun 2022 12:38:42 +0900 Subject: [PATCH 1/7] Add breaking changes note --- docs/content/en/blog/releases/v0.33.0.md | 26 +++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/docs/content/en/blog/releases/v0.33.0.md b/docs/content/en/blog/releases/v0.33.0.md index 58293fe006..76daab4af3 100644 --- a/docs/content/en/blog/releases/v0.33.0.md +++ b/docs/content/en/blog/releases/v0.33.0.md @@ -8,12 +8,36 @@ description: > ## Changelog since v0.32.4 +### Breaking Changes + +Disallow valueFiles from paths outside the application directory to prevent potential dirtrav vulnerability ([#3726](https://github.com/pipe-cd/pipecd/pull/3726)). + +According to a recently discovered [vulnerability](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24348), it reveals that the existence of a directory traversal vulnerability when an arbitrary path can be specified as the Helm Values file path. + +For this reason, PipeCD has restricted the path that can be specified as the Values file path to the directory where the application configuration (i.e. `.pipecd.yaml`) exists when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726). + +Therefore, for example, in the following specification of Values file paths, the first three are allowed, but the last two are not. + +```yaml +helmOptions: + valueFiles: + # allowed + - values.yaml + - ./foo/bar/values.yaml + - /path/to/dir-where-application-configuration-file-exists/values.yaml + + # disallowed + - ../../../../path/to/dir-where-application-configuration-file-NOT-exists/values.yaml + - /path/to/dir-where-application-configuration-file-NOT-exists/values.yaml +``` + +For more information, please see [HelmOptions configuration-reference](https://pipecd.dev/docs/user-guide/configuration-reference/#helmoptions). + ### Notable Changes * Sort the application suggestion name in application filter form ([#3740](https://github.com/pipe-cd/pipecd/pull/3740)) * Make piped upgrade version input box selectable ([#3734](https://github.com/pipe-cd/pipecd/pull/3734)) * Add feature to show piped config on web console ([#3673](https://github.com/pipe-cd/pipecd/pull/3673)) -* Add validation to helm values file path to prevent potential dirtrav vulnerability ([#3726](https://github.com/pipe-cd/pipecd/pull/3726)) ### Internal Changes From a54cbf599c2a14bdb812a12808bb140650586b49 Mon Sep 17 00:00:00 2001 From: Tsubasa Umeuchi Date: Fri, 10 Jun 2022 12:41:09 +0900 Subject: [PATCH 2/7] Update breaking changes --- docs/content/en/blog/releases/v0.33.0.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/content/en/blog/releases/v0.33.0.md b/docs/content/en/blog/releases/v0.33.0.md index 76daab4af3..0d195df60a 100644 --- a/docs/content/en/blog/releases/v0.33.0.md +++ b/docs/content/en/blog/releases/v0.33.0.md @@ -10,13 +10,11 @@ description: > ### Breaking Changes -Disallow valueFiles from paths outside the application directory to prevent potential dirtrav vulnerability ([#3726](https://github.com/pipe-cd/pipecd/pull/3726)). +According to a recently discovered [vulnerability](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24348), it reveals that the existence of a directory traversal vulnerability when an arbitrary path can be specified as the Helm values file path. -According to a recently discovered [vulnerability](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24348), it reveals that the existence of a directory traversal vulnerability when an arbitrary path can be specified as the Helm Values file path. +For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration (i.e. `.pipecd.yaml`) exists when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726).. -For this reason, PipeCD has restricted the path that can be specified as the Values file path to the directory where the application configuration (i.e. `.pipecd.yaml`) exists when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726). - -Therefore, for example, in the following specification of Values file paths, the first three are allowed, but the last two are not. +Therefore, for example, in the following specification of values file paths, the first three are allowed, but the last two are not. ```yaml helmOptions: From 6ac0b9fecf124a4b15025ca51ccb4822d0dd9c6b Mon Sep 17 00:00:00 2001 From: Tsubasa Umeuchi Date: Fri, 10 Jun 2022 12:43:40 +0900 Subject: [PATCH 3/7] Fix typo --- docs/content/en/blog/releases/v0.33.0.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/en/blog/releases/v0.33.0.md b/docs/content/en/blog/releases/v0.33.0.md index 0d195df60a..47f9d9f671 100644 --- a/docs/content/en/blog/releases/v0.33.0.md +++ b/docs/content/en/blog/releases/v0.33.0.md @@ -12,7 +12,7 @@ description: > According to a recently discovered [vulnerability](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24348), it reveals that the existence of a directory traversal vulnerability when an arbitrary path can be specified as the Helm values file path. -For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration (i.e. `.pipecd.yaml`) exists when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726).. +For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration (i.e. `.pipecd.yaml`) exists when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726). Therefore, for example, in the following specification of values file paths, the first three are allowed, but the last two are not. @@ -22,11 +22,11 @@ helmOptions: # allowed - values.yaml - ./foo/bar/values.yaml - - /path/to/dir-where-application-configuration-file-exists/values.yaml + - /path/to/dir-where-application-configuration-exists/values.yaml # disallowed - ../../../../path/to/dir-where-application-configuration-file-NOT-exists/values.yaml - - /path/to/dir-where-application-configuration-file-NOT-exists/values.yaml + - /path/to/dir-where-application-configuration-NOT-exists/values.yaml ``` For more information, please see [HelmOptions configuration-reference](https://pipecd.dev/docs/user-guide/configuration-reference/#helmoptions). From 847716e5e9451e9e4da06b93ca20c0fa1251ae6d Mon Sep 17 00:00:00 2001 From: Tsubasa Umeuchi Date: Fri, 10 Jun 2022 12:47:04 +0900 Subject: [PATCH 4/7] Update examples --- docs/content/en/blog/releases/v0.33.0.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/en/blog/releases/v0.33.0.md b/docs/content/en/blog/releases/v0.33.0.md index 47f9d9f671..1283883ace 100644 --- a/docs/content/en/blog/releases/v0.33.0.md +++ b/docs/content/en/blog/releases/v0.33.0.md @@ -22,11 +22,11 @@ helmOptions: # allowed - values.yaml - ./foo/bar/values.yaml - - /path/to/dir-where-application-configuration-exists/values.yaml + - /path/to/application-configuration-dir/values.yaml # disallowed - - ../../../../path/to/dir-where-application-configuration-file-NOT-exists/values.yaml - - /path/to/dir-where-application-configuration-NOT-exists/values.yaml + - ../../../../path/to/NOT-application-configuration-dir/values.yaml + - /path/to/NOT-application-configuration-dir/values.yaml ``` For more information, please see [HelmOptions configuration-reference](https://pipecd.dev/docs/user-guide/configuration-reference/#helmoptions). From 2bcc1b91e8ddbbf52722f9947f5fc3468c846705 Mon Sep 17 00:00:00 2001 From: Tsubasa Umeuchi Date: Fri, 10 Jun 2022 12:48:08 +0900 Subject: [PATCH 5/7] Update examples --- docs/content/en/blog/releases/v0.33.0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/en/blog/releases/v0.33.0.md b/docs/content/en/blog/releases/v0.33.0.md index 1283883ace..1a37ad978b 100644 --- a/docs/content/en/blog/releases/v0.33.0.md +++ b/docs/content/en/blog/releases/v0.33.0.md @@ -25,8 +25,8 @@ helmOptions: - /path/to/application-configuration-dir/values.yaml # disallowed - - ../../../../path/to/NOT-application-configuration-dir/values.yaml - - /path/to/NOT-application-configuration-dir/values.yaml + - ../../../../path/to/OTHER-application-configuration-dir-or-such/values.yaml + - /path/to/OTHER-application-configuration-dir-or-such/values.yaml ``` For more information, please see [HelmOptions configuration-reference](https://pipecd.dev/docs/user-guide/configuration-reference/#helmoptions). From 63d23d5ab66d582b1dd30b072a22bbbcaa9292f1 Mon Sep 17 00:00:00 2001 From: Tsubasa Umeuchi Date: Fri, 10 Jun 2022 12:50:47 +0900 Subject: [PATCH 6/7] Update note --- docs/content/en/blog/releases/v0.33.0.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/content/en/blog/releases/v0.33.0.md b/docs/content/en/blog/releases/v0.33.0.md index 1a37ad978b..11213b01ae 100644 --- a/docs/content/en/blog/releases/v0.33.0.md +++ b/docs/content/en/blog/releases/v0.33.0.md @@ -12,7 +12,7 @@ description: > According to a recently discovered [vulnerability](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24348), it reveals that the existence of a directory traversal vulnerability when an arbitrary path can be specified as the Helm values file path. -For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration (i.e. `.pipecd.yaml`) exists when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726). +For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration exists (aka. the application directory) when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726). Therefore, for example, in the following specification of values file paths, the first three are allowed, but the last two are not. @@ -22,11 +22,11 @@ helmOptions: # allowed - values.yaml - ./foo/bar/values.yaml - - /path/to/application-configuration-dir/values.yaml + - /path/to/application-directory/values.yaml # disallowed - - ../../../../path/to/OTHER-application-configuration-dir-or-such/values.yaml - - /path/to/OTHER-application-configuration-dir-or-such/values.yaml + - ../../../../path/to/OTHER-application-directory-or-such/values.yaml + - /path/to/OTHER-application-directory-or-such/values.yaml ``` For more information, please see [HelmOptions configuration-reference](https://pipecd.dev/docs/user-guide/configuration-reference/#helmoptions). From 5b73a4da607a2649dab853e068f8ed468927e400 Mon Sep 17 00:00:00 2001 From: Tsubasa Umeuchi Date: Fri, 10 Jun 2022 12:51:08 +0900 Subject: [PATCH 7/7] Fix typo --- docs/content/en/blog/releases/v0.33.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/blog/releases/v0.33.0.md b/docs/content/en/blog/releases/v0.33.0.md index 11213b01ae..740f8b0630 100644 --- a/docs/content/en/blog/releases/v0.33.0.md +++ b/docs/content/en/blog/releases/v0.33.0.md @@ -29,7 +29,7 @@ helmOptions: - /path/to/OTHER-application-directory-or-such/values.yaml ``` -For more information, please see [HelmOptions configuration-reference](https://pipecd.dev/docs/user-guide/configuration-reference/#helmoptions). +For more information, please see [HelmOptions configuration reference](https://pipecd.dev/docs/user-guide/configuration-reference/#helmoptions). ### Notable Changes