Using special chars in helm valuesObject produces 403 error in App Detail parameters view

Checklist:

[x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
[x] I've included steps to reproduce the bug.
[x] I've pasted the output of argocd version.

Describe the bug

When using helm.valuesObject in an Application manifest, certain special characters like < or > are leading to all values being not shown in the "App Details" "Parameters" tab and they also can not be edited there.

In chrome developer tools and logs of the argocd-server pod I can see a POST request returning with a 403 in this case.

We tested this the versions v2.8.0, v2.9.1 and v2.9.2 and always see the same bug.

To Reproduce

Example for a failing manifest:

apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: prometheus
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
   source:
     repoURL: https://prometheus-community.github.io/helm-charts
     chart: prometheus
     targetRevision: 25.3.1
     helm:
       valuesObject:
         pushgateway:
           enabled: false
         testdata: '<foo>bar'
   destination:
     server: https://kubernetes.default.svc
     namespace: default
   syncPolicy:
     automated:
       prune: true
       selfHeal: true

Go to the "prometheus" app in the ArgoCD UI -> App Details -> Parameters
No values are shown and 403 error appears in argocd-server log

Removing the < and > characters from <foo>bar is fixing the failure. Also, using values: | instead of valuesObject: is not showing the the erroneous behaviour. Quoting the special chars with \ or \\ doesn't help.

Expected behavior

special chars like < and > in valuesObject do not lead to 403 requests and work like with values: |
There is an indication of an error instead of simply not showing any values in the UI, as this made debugging significantly harder and confusing

Screenshots

No values shown

developer tools showing a failing POST request

Version

argocd: v2.9.1+58b04e5
  BuildDate: 2023-11-14T15:40:46Z
  GitCommit: 58b04e5e11d007b0518853029ff7612c24a2eb35
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v2.9.2+c5ea5c4
  BuildDate: 2023-11-20T17:18:26Z
  GitCommit: c5ea5c4df52943a6fff6c0be181fde5358970304
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/arm64
  Kustomize Version: v5.2.1 2023-10-19T20:13:51Z
  Helm Version: v3.13.2+g2a2fb3b
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.20.0

Logs

argocd-server

time="2023-12-01T13:18:23Z" level=info msg="received unary call /repository.RepositoryService/GetAppDetails" grpc.method=GetAppDetails grpc.request.content="source:<repoURL:\"https://prometheus-community.github.io/helm-charts\" path:\"\" targetRevision:\"25.3.1\" helm:<releaseName:\"\" values:\"\" version:\"\" passCredentials:false ignoreMissingValueFiles:false skipCrds:false valuesObject:<raw:\"{\\\"pushgateway\\\":{\\\"enabled\\\":false},\\\"testdata\\\":\\\"<foo>bar\\\"}\" Object:<nil> > > chart:\"prometheus\" ref:\"\" > appName:\"prometheus\" appProject:\"default\" " grpc.service=repository.RepositoryService grpc.start_time="2023-12-01T13:18:23Z" span.kind=server system=grpc
time="2023-12-01T13:18:23Z" level=warning msg="finished unary call with code PermissionDenied" error="rpc error: code = PermissionDenied desc = permission denied" grpc.code=PermissionDenied grpc.method=GetAppDetails grpc.service=repository.RepositoryService grpc.start_time="2023-12-01T13:18:23Z" grpc.time_ms=0.546 span.kind=server system=grpc

argoproj / argo-cd

Using special chars in helm valuesObject produces 403 error in App Detail parameters view #16505