search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.91k stars 5.46k forks source link

Using special chars in helm valuesObject produces 403 error in App Detail parameters view #16505

Open hphilipps opened 11 months ago

hphilipps commented 11 months ago

Checklist:

Describe the bug

When using helm.valuesObject in an Application manifest, certain special characters like < or > are leading to all values being not shown in the "App Details" "Parameters" tab and they also can not be edited there.

In chrome developer tools and logs of the argocd-server pod I can see a POST request returning with a 403 in this case.

We tested this the versions v2.8.0, v2.9.1 and v2.9.2 and always see the same bug.

To Reproduce

Example for a failing manifest:

apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: prometheus
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
   source:
     repoURL: https://prometheus-community.github.io/helm-charts
     chart: prometheus
     targetRevision: 25.3.1
     helm:
       valuesObject:
         pushgateway:
           enabled: false
         testdata: '<foo>bar'
   destination:
     server: https://kubernetes.default.svc
     namespace: default
   syncPolicy:
     automated:
       prune: true
       selfHeal: true

Removing the < and > characters from <foo>bar is fixing the failure. Also, using values: | instead of valuesObject: is not showing the the erroneous behaviour. Quoting the special chars with \ or \\ doesn't help.

Expected behavior

Screenshots

No values shown image

developer tools showing a failing POST request image

Version

argocd: v2.9.1+58b04e5
  BuildDate: 2023-11-14T15:40:46Z
  GitCommit: 58b04e5e11d007b0518853029ff7612c24a2eb35
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v2.9.2+c5ea5c4
  BuildDate: 2023-11-20T17:18:26Z
  GitCommit: c5ea5c4df52943a6fff6c0be181fde5358970304
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/arm64
  Kustomize Version: v5.2.1 2023-10-19T20:13:51Z
  Helm Version: v3.13.2+g2a2fb3b
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.20.0

Logs

argocd-server

time="2023-12-01T13:18:23Z" level=info msg="received unary call /repository.RepositoryService/GetAppDetails" grpc.method=GetAppDetails grpc.request.content="source:<repoURL:\"https://prometheus-community.github.io/helm-charts\" path:\"\" targetRevision:\"25.3.1\" helm:<releaseName:\"\" values:\"\" version:\"\" passCredentials:false ignoreMissingValueFiles:false skipCrds:false valuesObject:<raw:\"{\\\"pushgateway\\\":{\\\"enabled\\\":false},\\\"testdata\\\":\\\"<foo>bar\\\"}\" Object:<nil> > > chart:\"prometheus\" ref:\"\" > appName:\"prometheus\" appProject:\"default\" " grpc.service=repository.RepositoryService grpc.start_time="2023-12-01T13:18:23Z" span.kind=server system=grpc
time="2023-12-01T13:18:23Z" level=warning msg="finished unary call with code PermissionDenied" error="rpc error: code = PermissionDenied desc = permission denied" grpc.code=PermissionDenied grpc.method=GetAppDetails grpc.service=repository.RepositoryService grpc.start_time="2023-12-01T13:18:23Z" grpc.time_ms=0.546 span.kind=server system=grpc
muma378 commented 11 months ago

Hi,I reproduced in my environment. This is because the valueObject passed from the GUI differs from the value queried by kube client. The later escaped <foo>bar to \\u003cfoo\\u003ebar\, which makes the function below return false.

https://github.com/argoproj/argo-cd/blob/0b35e2f1fe27f395e6106a7466d58911c4f7ec9c/server/repository/repository.go#L316

Do you guys have any ideas on how to fix it? Should we escape the fronted-passed parameter or unescape the kube client getting result? I will try to submit a PR later, any advise is appreciate.

andrii-korotkov-verkada commented 2 days ago

ArgoCD versions 2.10 and below have reached EOL. Can you upgrade and let us know if the issue is still present, please?