Open tpcgold opened 5 months ago
agaudreault
commented
4 months ago @tpcgold This seems to be a configuration problem within your cloud provider resources. If connecting to GitHub, you might need to configure it with https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses.
tpcgold
commented
4 months ago Nope it's not a Github isse. As the issue describes it's a OWASP compatibility of the ArgoCD frontend -> ArgoCD backend calls. For now i had to do an exeption in the Firewall checks (if my office ip + argo cookie is present i do ignore some OWASP rules mentioned above)
agaudreault
commented
4 months ago @tpcgold In your issue description, you mention the following:
Requests from the UI should successfully pass the Firewall without the need to puncture security by loosening a widely used standard policy (OWASP)
Can you find which data/value is invalid in the calls made from the ArgoCD frontend to the ArgoCD backend? The rules as explain in https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32 do not provide much details and I assume your WAF might have more logs on which data is causing the error.
tpcgold
commented
4 months ago You can find all rules in the coreset of OWASP e.g. some like 931130 are regex based 931130
I don't have the logs ready as the Log Analytics workspace is already deleted. But the issue was the amount of matches in a short period which shoot the anomaly score above 5 https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview and hence trigger the firewall to block the "connect" requests on the "connect repo" page
Describe the bug Argocd doesn't allow to add a GitHub repo (neither HTTP/SSH nor Github APP) All requests from the UI to argo-server will trigger the following OWASP CRS 3.2 rules: 931130, 942430, 942440 and 949110
To Reproduce Setup ArgoCD in an AKS cluster behind an Application gateway with Application Gateway WAF policy OWASP_3.2
By the way, on the UI you will only see: Unable to connect GitHub App repository: Forbidden
This error message did not help figure out where the problem lies. As requests don't reach argo-server nothing is logged (was the only hint)
Expected behaviour Requests from the UI should successfully pass the Firewall without the need to puncture security by loosening a widely used standard policy (OWASP)
Version argocd: v2.11.3+3f344d5 BuildDate: 2024-06-06T09:27:36Z GitCommit: 3f344d54a4e0bbbb4313e1c19cfe1e544b162598 GitTreeState: clean GoVersion: go1.21.10 Compiler: gc Platform: linux/amd64 argocd-server: v2.11.3+3f344d5 BuildDate: 2024-06-06T08:42:00Z GitCommit: 3f344d54a4e0bbbb4313e1c19cfe1e544b162598 GitTreeState: clean GoVersion: go1.21.9 Compiler: gc Platform: linux/amd64 Kustomize Version: v5.2.1 2023-10-19T20:13:51Z Helm Version: v3.14.4+g81c902a Kubectl Version: v0.26.11 Jsonnet Version: v0.20.0