Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LGTM (security) review tool flagged 5 issues in the code base #3942

Closed
AbhishekMallick opened this issue Sep 4, 2020 · 3 comments · Fixed by #3975
Closed

LGTM (security) review tool flagged 5 issues in the code base #3942

AbhishekMallick opened this issue Sep 4, 2020 · 3 comments · Fixed by #3975
Assignees
@alexec
Labels
type/bug type/security Security related

Comments

@AbhishekMallick
Copy link

Summary

Report: https://lgtm.com/projects/g/argoproj/argo?mode=list&severity=error

What happened/what you expected to happen?
Expectation is that there are no potential security holes.

Diagnostics

What version of Argo Workflows are you running?
Latest argo git hub repo was input to LGTM
Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.
@alexec
Copy link
Contributor

alexec commented Sep 4, 2020

Of the 5 issues highlighted, 4 are false positive. For example, PasswordSecret is not actually sensitive data.

The XSS state would be hard to exploit (you'd need to enable SSO), but not impossible. Would you be interested in submitting a PR to fix this?

@alexec alexec added the type/security Security related label Sep 4, 2020
@alexec
Copy link
Contributor

alexec commented Sep 4, 2020

@sarabala1979 it would be see if you agree with the assessment?
@jessesuen might be good to run this on Argo CD?

@AbhishekMallick
Copy link
Author

@alexec: Sure, would love to help out but having no context regarding the code base. Not sure what the fix should be.

@alexec alexec self-assigned this Sep 9, 2020
alexec added a commit to alexec/argo-workflows that referenced this issue Sep 9, 2020
@alexec
fix(server): Remove XSS vulnerability. Fixes argoproj#3942
1a1ccea
@alexec alexec mentioned this issue Sep 9, 2020
Merged
6 tasks
alexec added a commit that referenced this issue Sep 10, 2020
@alexec
fix(server): Remove XSS vulnerability. Fixes #3942 (#3975)
7b1d17a
alexec added a commit that referenced this issue Sep 10, 2020
@alexec
fix(server): Remove XSS vulnerability. Fixes #3942 (#3975)
089e186
alexec added a commit that referenced this issue Sep 10, 2020
@alexec
fix(server): Remove XSS vulnerability. Fixes #3942 (#3975)
a8ba447
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexec alexec

Labels
type/bug type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(server): Removes minor XSS vulnerability. Fixes #3942 alexec/argo-workflows
2 participants
@alexec @AbhishekMallick