vmware-tanzu · antgamdia · Sep 7, 2022 · Aug 24, 2022 · Aug 30, 2022 · Aug 30, 2022
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,51 @@
+# Copyright 2022 VMware, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "0 5 * * *"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go", "javascript"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
diff --git a/cmd/apprepository-controller/Dockerfile b/cmd/apprepository-controller/Dockerfile
@@ -10,19 +10,17 @@ COPY pkg pkg
 COPY cmd cmd
 ARG VERSION
 
-ARG GOSEC_VERSION="2.13.1"
 ARG GOLANGCILINT_VERSION="1.49.0"
-
-RUN curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v$GOSEC_VERSION
 RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$GOLANGCILINT_VERSION
 
-# Run golangci-lint to detect issues
-RUN golangci-lint run --timeout=10m ./cmd/apprepository-controller/...
-RUN golangci-lint run --timeout=10m ./pkg/...
+# If true, run golangci-lint to detect issues
+ARG lint
 
-# Run gosec to detect any security-related error at build time
-RUN gosec ./cmd/apprepository-controller/...
-RUN gosec ./pkg/...
+RUN if [ ! -z "$lint" ]; then \
+    # Run golangci-lint to detect issues
+    golangci-lint run --timeout=10m ./cmd/apprepository-controller/... && \
+    golangci-lint run --timeout=10m ./pkg/... ; \
+  fi
 
 # With the trick below, Go's build cache is kept between builds.
 # https://github.com/golang/go/issues/27719#issuecomment-514747274

diff --git a/cmd/asset-syncer/Dockerfile b/cmd/asset-syncer/Dockerfile
@@ -10,19 +10,17 @@ COPY pkg pkg
 COPY cmd cmd
 ARG VERSION
 
-ARG GOSEC_VERSION="2.13.1"
 ARG GOLANGCILINT_VERSION="1.49.0"
-
-RUN curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v$GOSEC_VERSION
 RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$GOLANGCILINT_VERSION
 
-# Run golangci-lint to detect issues
-RUN golangci-lint run --timeout=10m ./cmd/asset-syncer/...
-RUN golangci-lint run --timeout=10m ./pkg/...
+# If true, run golangci-lint to detect issues
+ARG lint
 
-# Run gosec to detect any security-related error at build time
-RUN gosec ./cmd/asset-syncer/...
-RUN gosec ./pkg/...
+RUN if [ ! -z "$lint" ]; then \
+    # Run golangci-lint to detect issues
+    golangci-lint run --timeout=10m ./cmd/asset-syncer/... && \
+    golangci-lint run --timeout=10m ./pkg/... ; \
+  fi
 
 # With the trick below, Go's build cache is kept between builds.
 # https://github.com/golang/go/issues/27719#issuecomment-514747274

diff --git a/cmd/kubeapps-apis/Dockerfile b/cmd/kubeapps-apis/Dockerfile
@@ -9,12 +9,10 @@ COPY go.mod go.sum ./
 ARG VERSION="devel"
 
 ARG BUF_VERSION="1.7.0"
-ARG GOSEC_VERSION="2.13.1"
 ARG GOLANGCILINT_VERSION="1.49.0"
 
 # Install lint tools
 RUN curl -sSL "https://github.com/bufbuild/buf/releases/download/v$BUF_VERSION/buf-Linux-x86_64" -o "/tmp/buf" && chmod +x "/tmp/buf"
-RUN curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v$GOSEC_VERSION
 RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$GOLANGCILINT_VERSION
 
 
@@ -29,13 +27,14 @@ RUN --mount=type=cache,target=/go/pkg/mod  \
 COPY pkg pkg
 COPY cmd cmd
 
-# Run golangci-lint to detect issues
-RUN golangci-lint run --timeout=10m ./cmd/kubeapps-apis/...
-RUN golangci-lint run --timeout=10m ./pkg/...
+# If true, run golangci-lint to detect issues
+ARG lint
 
-# Run gosec to detect any security-related error at build time
-RUN gosec ./cmd/kubeapps-apis/...
-RUN gosec ./pkg/...
+RUN if [ ! -z "$lint" ]; then \
+    # Run golangci-lint to detect issues
+    golangci-lint run --timeout=10m ./cmd/kubeapps-apis/... && \
+    golangci-lint run --timeout=10m ./pkg/...; \
+  fi
 
 # Lint the proto files to detect errors at build time
 RUN /tmp/buf lint ./cmd/kubeapps-apis

diff --git a/cmd/kubeapps-apis/docs/index.html b/cmd/kubeapps-apis/docs/index.html
diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go
@@ -504,14 +504,18 @@ func (s *Server) GetInstalledPackageResourceRefs(ctx context.Context, request *c
 }
 
 func (s *Server) AddPackageRepository(ctx context.Context, request *corev1.AddPackageRepositoryRequest) (*corev1.AddPackageRepositoryResponse, error) {
-	log.Infof("+fluxv2 AddPackageRepository [%v]", request)
 	if request == nil {
 		return nil, status.Errorf(codes.InvalidArgument, "no request provided")
 	}
 	if request.Context == nil || request.Context.Namespace == "" {
 		return nil, status.Errorf(codes.InvalidArgument, "no request Context namespace provided")
 	}
+
 	cluster := request.GetContext().GetCluster()
+	namespace := request.GetContext().GetNamespace()
+	repoName := request.GetName()
+	log.InfoS("+fluxv2 AddPackageRepository", "cluster", cluster, "namespace", namespace, "name", repoName)
+
 	if cluster != "" && cluster != s.kubeappsCluster {
 		return nil, status.Errorf(
 			codes.Unimplemented,

diff --git a/cmd/kubeapps-apis/plugins/helm/packages/v1alpha1/server.go b/cmd/kubeapps-apis/plugins/helm/packages/v1alpha1/server.go
@@ -1010,7 +1010,10 @@ func (s *Server) GetInstalledPackageResourceRefs(ctx context.Context, request *c
 }
 
 func (s *Server) AddPackageRepository(ctx context.Context, request *corev1.AddPackageRepositoryRequest) (*corev1.AddPackageRepositoryResponse, error) {
-	log.Infof("+helm AddPackageRepository '%s' pointing to '%s'", request.GetName(), request.GetUrl())
+	repoName := request.GetName()
+	repoUrl := request.GetUrl()
+	log.Infof("+helm AddPackageRepository '%s' pointing to '%s'", repoName, repoUrl)
+
 	if request == nil {
 		return nil, status.Errorf(codes.InvalidArgument, "no request provided")
 	}

diff --git a/cmd/kubeapps-apis/plugins/helm/packages/v1alpha1/utils/postgresql_utils.go b/cmd/kubeapps-apis/plugins/helm/packages/v1alpha1/utils/postgresql_utils.go
@@ -35,7 +35,10 @@ func NewPGManager(config dbutils.Config, globalReposNamespace string) (AssetMana
 }
 
 func (m *PostgresAssetManager) GetAllChartCategories(cq ChartQuery) ([]*models.ChartCategory, error) {
-	whereQuery, whereQueryParams := m.GenerateWhereClause(cq)
+	whereQuery, whereQueryParams, err := m.GenerateWhereClause(cq)
+	if err != nil {
+		return nil, err
+	}
 	dbQuery := fmt.Sprintf("SELECT (info ->> 'category') AS name, COUNT( (info ->> 'category')) AS count FROM %s %s GROUP BY (info ->> 'category') ORDER BY (info ->> 'category') ASC", dbutils.ChartTable, whereQuery)
 
 	chartsCategories, err := m.QueryAllChartCategories(dbQuery, whereQueryParams...)
@@ -175,15 +178,18 @@ func (m *PostgresAssetManager) GetChartFilesWithFallback(namespace, filesID stri
 }
 
 func (m *PostgresAssetManager) GetPaginatedChartListWithFilters(cq ChartQuery, startItemNumber, pageSize int) ([]*models.Chart, error) {
-	whereQuery, whereQueryParams := m.GenerateWhereClause(cq)
+	whereQuery, whereQueryParams, err := m.GenerateWhereClause(cq)
+	if err != nil {
+		return nil, err
+	}
 	charts, err := m.GetPaginatedChartList(whereQuery, whereQueryParams, startItemNumber, pageSize)
 	if err != nil {
 		return nil, err
 	}
 	return charts, nil
 }
 
-func (m *PostgresAssetManager) GenerateWhereClause(cq ChartQuery) (string, []interface{}) {
+func (m *PostgresAssetManager) GenerateWhereClause(cq ChartQuery) (string, []interface{}, error) {
 	whereClauses := []string{}
 	whereQueryParams := []interface{}{}
 	whereQuery := ""
@@ -201,6 +207,12 @@ func (m *PostgresAssetManager) GenerateWhereClause(cq ChartQuery) (string, []int
 		))
 	}
 	if cq.Version != "" && cq.AppVersion != "" {
+		if !containsOnlyAllowedChars(cq.Version) {
+			return "", nil, errors.New("invalid version")
+		}
+		if !containsOnlyAllowedChars(cq.AppVersion) {
+			return "", nil, errors.New("invalid app version")
+		}
 		parametrizedJsonbLiteral := fmt.Sprintf(`[{"version":"%s","app_version":"%s"}]`, cq.Version, cq.AppVersion)
 		whereQueryParams = append(whereQueryParams, parametrizedJsonbLiteral)
 		whereClauses = append(whereClauses, fmt.Sprintf("(info->'chartVersions' @> $%d::jsonb)", len(whereQueryParams)))
@@ -246,5 +258,16 @@ func (m *PostgresAssetManager) GenerateWhereClause(cq ChartQuery) (string, []int
 		whereQuery = "WHERE " + strings.Join(whereClauses, " AND ")
 	}
 
-	return whereQuery, whereQueryParams
+	return whereQuery, whereQueryParams, nil
+}
+
+// See https://semver.org/#backusnaur-form-grammar-for-valid-semver-versions
+const allowed string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-."
+
+// Using the same "semver" validation logic for parsing version
+// see https://github.com/Masterminds/semver/blob/v3.1.1/version.go
+func containsOnlyAllowedChars(s string) bool {
+	return strings.IndexFunc(s, func(r rune) bool {
+		return !strings.ContainsRune(allowed, r)
+	}) == -1
 }
diff --git a/cmd/kubeapps-apis/plugins/helm/packages/v1alpha1/utils/postgresql_utils_test.go b/cmd/kubeapps-apis/plugins/helm/packages/v1alpha1/utils/postgresql_utils_test.go
@@ -500,6 +500,18 @@ func Test_GenerateWhereClause(t *testing.T) {
 			expectedClause: `WHERE (repo_namespace = $1 OR repo_namespace = $2) AND (info->'chartVersions' @> $3::jsonb)`,
 			expectedParams: []interface{}{string(""), string("kubeapps"), string(`[{"version":"1.0.0","app_version":"0.1.0"}]`)},
 		},
+		{
+			name:           "returns where clause - single param - version AND appVersion malformed with quotes",
+			namespace:      "",
+			chartName:      "",
+			version:        "'\"1.0.0'",
+			appVersion:     "'\"0.1.0'",
+			repos:          []string{""},
+			categories:     []string{""},
+			query:          "",
+			expectedClause: ``,
+			expectedParams: nil,
+		},
 		{
 			name:           "returns where clause - no params",
 			namespace:      "",
@@ -635,7 +647,7 @@ func Test_GenerateWhereClause(t *testing.T) {
 				Repos:       tt.repos,
 				Categories:  tt.categories,
 			}
-			whereQuery, whereQueryParams := pgManager.GenerateWhereClause(cq)
+			whereQuery, whereQueryParams, _ := pgManager.GenerateWhereClause(cq)
 
 			if tt.expectedClause != whereQuery {
 				t.Errorf("Expecting query:\n'%s'\nreceived query:\n'%s'\nin '%s'", tt.expectedClause, whereQuery, tt.name)

diff --git a/site/content/community/_index.html b/site/content/community/_index.html
@@ -30,6 +30,7 @@ <h3>
           <a
             href="https://github.com/orgs/vmware-tanzu/projects/38/views/2"
             target="_blank"
+            rel="noopener"
             >GitHub project page</a
           >.
         </p>
@@ -39,6 +40,7 @@ <h3>
           <a
             href="https://github.com/vmware-tanzu/kubeapps/labels/good%20first%20issue"
             target="_blank"
+            rel="noopener"
             >in the repository</a
           >.
         </p>

diff --git a/site/themes/template/layouts/_default/_markup/render-link.html b/site/themes/template/layouts/_default/_markup/render-link.html
@@ -29,4 +29,4 @@
         {{ end }}
     {{ end -}}
 {{- end -}}
-<a href="{{ $link | safeURL }}"{{ with .Title}} title="{{ . }}"{{ end }}{{ if $isRemote }} target="_blank"{{ end }}>{{ .Text | safeHTML }}</a>
+<a href="{{ $link | safeURL }}"{{ with .Title}} title="{{ . }}"{{ end }}{{ if $isRemote }} rel="noopener" target="_blank"{{ end }}>{{ .Text | safeHTML }}</a>
diff --git a/site/themes/template/layouts/partials/docs-right-bar.html b/site/themes/template/layouts/partials/docs-right-bar.html
@@ -6,7 +6,7 @@
                 {{ $issueTitle := printf "[Docs] ADD-A-TITLE" }}
                 {{ $issueBody := printf "#### On Page: [%s](%s)\n\n Describe the issue" .RelPermalink .Permalink | htmlEscape }}
                 {{ $issueQuery := (querify "body" $issueBody "title" $issueTitle) }}
-                <li><a href="{{ $.Site.Params.github_base_url }}/issues/new?{{ $issueQuery | safeURL }}" target="_blank">Report Issues</a></li>
+                <li><a target="_blank" rel="noopener" href="{{ $.Site.Params.github_base_url }}/issues/new?{{ $issueQuery | safeURL }}" target="_blank">Report Issues</a></li>
             {{ end }}
         </ul>
         {{ if ne .TableOfContents "<nav id=\"TableOfContents\"></nav>" }}