Skip to content

Add breaking changes note about Helm values file restriction #3744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Szarny merged 7 commits into from
Jun 10, 2022
Merged

Add breaking changes note about Helm values file restriction #3744

Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e7cd094
Add breaking changes note
Jun 10, 2022
a54cbf5
Update breaking changes
Jun 10, 2022
6ac0b9f
Fix typo
Jun 10, 2022
847716e
Update examples
Jun 10, 2022
2bcc1b9
Update examples
Jun 10, 2022
63d23d5
Update note
Jun 10, 2022
5b73a4d
Fix typo
Jun 10, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 23 additions & 1 deletion docs/content/en/blog/releases/v0.33.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,34 @@ description: >

## Changelog since v0.32.4

### Breaking Changes

According to a recently discovered [vulnerability](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24348), it reveals that the existence of a directory traversal vulnerability when an arbitrary path can be specified as the Helm values file path.

For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration (i.e. `.pipecd.yaml`) exists when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726).
Copy link
Member

@khanhtc1202 khanhtc1202 Jun 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration (i.e. `.pipecd.yaml`) exists when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726).
For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration exists (aka. the application directory) when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726).

Copy link
Member

@knanao knanao Jun 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration (i.e. `.pipecd.yaml`) exists when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726).
For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration (i.e. `app.pipecd.yaml`) exists when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726).

Copy link
Member

@knanao knanao Jun 10, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, this is better.
so let's merge this one.


Therefore, for example, in the following specification of values file paths, the first three are allowed, but the last two are not.

```yaml
helmOptions:
valueFiles:
# allowed
- values.yaml
- ./foo/bar/values.yaml
- /path/to/dir-where-application-configuration-exists/values.yaml
Copy link
Member

@khanhtc1202 khanhtc1202 Jun 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- /path/to/dir-where-application-configuration-exists/values.yaml
- /path/to/application-configuration-dir/values.yaml

Copy link
Contributor Author

@Szarny Szarny Jun 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rewrite it with disallowed examples 👍


# disallowed
- ../../../../path/to/dir-where-application-configuration-file-NOT-exists/values.yaml
Copy link
Member

@khanhtc1202 khanhtc1202 Jun 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- ../../../../path/to/dir-where-application-configuration-file-NOT-exists/values.yaml
- ../../../../path/to/OTHER-application-dir-or-such/values.yaml

- /path/to/dir-where-application-configuration-NOT-exists/values.yaml
Copy link
Member

@khanhtc1202 khanhtc1202 Jun 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- /path/to/dir-where-application-configuration-NOT-exists/values.yaml
- /path/to/OTHER-application-dir-or-such/values.yaml

```

For more information, please see [HelmOptions configuration-reference](https://pipecd.dev/docs/user-guide/configuration-reference/#helmoptions).

### Notable Changes

* Sort the application suggestion name in application filter form ([#3740](https://github.com/pipe-cd/pipecd/pull/3740))
* Make piped upgrade version input box selectable ([#3734](https://github.com/pipe-cd/pipecd/pull/3734))
* Add feature to show piped config on web console ([#3673](https://github.com/pipe-cd/pipecd/pull/3673))
* Add validation to helm values file path to prevent potential dirtrav vulnerability ([#3726](https://github.com/pipe-cd/pipecd/pull/3726))

### Internal Changes

Expand Down