Skip to content

Fix documentation security issue #665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Fix documentation security issue #665

wants to merge 10 commits into from

Conversation

@TIJMacLean
Copy link

What this PR does / why we need it:
Fixes a security issue where the "latest" tag could be deployed even when it was disallowed, by using the format image:port/repo for a container image rather than the expected image/repo:tag. image:port/repo passed the contains ":" check, and defaults to pulling the latest

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes a report through the security email

Special notes for your reviewer:

@TIJMacLean TIJMacLean requested a review from a team as a code owner June 24, 2025 08:49
JaydipGabani
JaydipGabani requested changes Jun 24, 2025
View reviewed changes
Copy link
Contributor

@JaydipGabani JaydipGabani left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also add a test covering this change?

Please run make generate generate-website-docs generate-artifacthub-artifacts to generate the templates and docs.

@TIJMacLean TIJMacLean requested a review from JaydipGabani June 24, 2025 19:17
@JaydipGabani
Copy link
Contributor

@TIJMacLean did you miss running make generate generate-website-docs generate-artifacthub-artifacts and pushing generated files as well?

@TIJMacLean
Copy link
Author

@JaydipGabani I hadn't - I've tried to do that all now but as a non-developer, I've been struggling to get all the dependencies and versions working correctly. I've tried again with the make commands and having moved the changes into the src directory instead, but I could get the unit tests to run correctly on my system. So hopefully they pass here!

@TIJMacLean
Copy link
Author

@JaydipGabani Afternoon - is there any update on whether this is more in line with what you were expecting?

@JaydipGabani @TIJMacLean
chore: updating GK and dep versions (open-policy-agent#673)
e1952b6 
* updating GK and dep versions

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing link for kubectl binary

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing tests where APIs no longer exists

Signed-off-by: Jaydip Gabani <[email protected]>

* updating k8s version and fixing tests

Signed-off-by: Jaydip Gabani <[email protected]>

---------

Signed-off-by: Jaydip Gabani <[email protected]>
@TIJMacLean TIJMacLean force-pushed the patch-1 branch 2 times, most recently from d895e5e to 7441716 Compare August 6, 2025 20:18
TIJMacLean and others added 3 commits August 6, 2025 21:20
@TIJMacLean
Adjusting
f951da7 
Signed-off-by: Tom MacLean <[email protected]>
@TIJMacLean
Adjusted to include docs and artifacts
52317f0 
Signed-off-by: Tom MacLean <[email protected]>
@TIJMacLean
Adding commit message
50e8401 
Signed-off-by: Tom MacLean <[email protected]>
@TIJMacLean
Copy link
Author

Didn't realise I had to be the one to sign off the messages - assumed that was an admin right. I also got the unit tests running so hopefully this is now good to go!

@JaydipGabani
Copy link
Contributor

@TIJMacLean please run make generate generate-website-docs generate-artifacthub-artifacts and push changes to resolve CI error.

@TIJMacLean
Copy link
Author

Ok - did that again which should be it (fingers crossed)

JaydipGabani
JaydipGabani approved these changes Sep 15, 2025
View reviewed changes
Copy link
Contributor

@JaydipGabani JaydipGabani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please fix nits, lgtm otherwise

src/general/disallowedtags/src_test.rego
"name": "exempt",
"image": "exempt:testing",
}]
}]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: add a new line

...l/disallowedtags/samples/container-image-must-not-have-latest-tag/example_no_tag_w_port.yaml
args:
- "run"
- "--server"
- "--addr=localhost:8080" No newline at end of file
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: add a new line

...llowedtags/1.0.2/samples/container-image-must-not-have-latest-tag/example_no_tag_w_port.yaml
args:
- "run"
- "--server"
- "--addr=localhost:8080" No newline at end of file
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: add a new line

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JaydipGabani JaydipGabani JaydipGabani approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TIJMacLean @JaydipGabani