Affected by GO-2024-2646 and 12 other vulnerabilities

GO-2024-2646: Cross-site scripting on application summary component in github.com/argoproj/argo-cd/v2

GO-2024-2667: Out of memory crash from malicious Helm registry in github.com/argoproj/argo-cd/v2

GO-2024-2728: Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd

GO-2024-2792: Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd

GO-2024-2877: ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd

GO-2024-2898: Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd

GO-2024-3002: Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd

GO-2024-3006: The Argo CD web terminal session does not handle the revocation of user permissions properly in github.com/argoproj/argo-cd

GO-2025-3433: Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd

GO-2025-3720: Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd

GO-2025-3993: Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload in github.com/argoproj/argo-cd

GO-2025-3994: Repository Credentials Race Condition Crashes Argo CD Server in github.com/argoproj/argo-cd

GO-2025-3996: argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload in github.com/argoproj/argo-cd

The highest tagged major version is v3.

security

package

v2.8.9 Latest Latest Go to latest Published: Jan 19, 2024 License: Apache-2.0 Imports: 6 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/argoproj/argo-cd

Links

Open Source Insights

Documentation ¶

Index ¶

func EnforceToCurrentRoot(currentRoot, requestedPath string) (string, error)
func IsNamespaceEnabled(namespace string, serverNamespace string, enabledNamespaces []string) bool
func NamespaceNotPermittedError(namespace string) error
func RBACName(defaultNS string, project string, namespace string, name string) string
func UnverifiedHasAudClaim(rawIDToken string) (bool, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func EnforceToCurrentRoot ¶

func EnforceToCurrentRoot(currentRoot, requestedPath string) (string, error)

Ensure that `requestedPath` is on the same directory or any subdirectory of `currentRoot`. Both `currentRoot` and `requestedPath` must be absolute paths. They may contain any number of `./` or `/../` dir changes.

func IsNamespaceEnabled ¶ added in v2.5.6

func IsNamespaceEnabled(namespace string, serverNamespace string, enabledNamespaces []string) bool

func NamespaceNotPermittedError ¶ added in v2.5.6

func NamespaceNotPermittedError(namespace string) error

func RBACName ¶ added in v2.8.0

func RBACName(defaultNS string, project string, namespace string, name string) string

RBACName constructs name of the app for use in RBAC checks.

func UnverifiedHasAudClaim ¶ added in v2.3.14

func UnverifiedHasAudClaim(rawIDToken string) (bool, error)

UnverifiedHasAudClaim returns whether the "aud" claim is present in the given JWT.

This function DOES NOT VERIFY THE TOKEN. You still have to verify the token to confirm that the token holder has not altered the "aud" claim.

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL