8be37ef1d2
Many of the functions in the `conditions` package accept a format string and
(optional) arguments, just like `fmt.Printf` and friends.
In many places, the code passed an error message as the format string, causing
it to be interpreted by the `fmt` package. This leads to issues when the
message contains percent signs, e.g. URL-encoded values.
Consider the following code:
```go
// internal/controller/ocirepository_controller.go
revision, err := r.getRevision(ref, opts)
if err != nil {
e := serror.NewGeneric(
fmt.Errorf("failed to determine artifact digest: %w", err),
ociv1.OCIPullFailedReason,
)
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
return sreconcile.ResultEmpty, e
}
```
Since `getRevision()` includes the URL in the error message and the error
message is used as a format string, the resulting condition reads:
```
failed to determine artifact digest: GET https://gitlab.com/jwt/auth?scope=repository%!A(MISSING)fforster%!F(MISSING)<REDACTED>%!F(MISSING)k8s-resource-manifests%!A(MISSING)pull&service=container_registry: DENIED: access forbidden
```
This adds an explicit format string and shortens `e.Error()` and
`e.Err.Error()` to `e`, which yields the same output.
To the best of my knowledge, Go is safe from format string attacks. I **don't**
think this is a security vulnerability, but I'm also not a security expert.
Signed-off-by: Florian Forster <fforster@gitlab.com>
|
||
|---|---|---|
| .github | ||
| api | ||
| config | ||
| docs | ||
| hack | ||
| internal | ||
| pkg | ||
| tests/fuzz | ||
| .dockerignore | ||
| .gitignore | ||
| .goreleaser.yaml | ||
| CHANGELOG.md | ||
| CODE_OF_CONDUCT.md | ||
| DCO | ||
| DEVELOPMENT.md | ||
| Dockerfile | ||
| LICENSE | ||
| MAINTAINERS | ||
| Makefile | ||
| PROJECT | ||
| README.md | ||
| go.mod | ||
| go.sum | ||
| main.go | ||
README.md
Source controller
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit.
APIs
| Kind | API Version |
|---|---|
| GitRepository | source.toolkit.fluxcd.io/v1 |
| OCIRepository | source.toolkit.fluxcd.io/v1beta2 |
| HelmRepository | source.toolkit.fluxcd.io/v1 |
| HelmChart | source.toolkit.fluxcd.io/v1 |
| Bucket | source.toolkit.fluxcd.io/v1beta2 |
Features
- authenticates to sources (SSH, user/password, API token, Workload Identity)
- validates source authenticity (PGP, Cosign, Notation)
- detects source changes based on update policies (semver)
- fetches resources on-demand and on-a-schedule
- packages the fetched resources into a well-known format (tar.gz, yaml)
- makes the artifacts addressable by their source identifier (sha, version, ts)
- makes the artifacts available in-cluster to interested 3rd parties
- notifies interested 3rd parties of source changes and availability (status conditions, events, hooks)
- reacts to Git, Helm and OCI artifacts push events (via notification-controller)
Guides
- Get started with Flux
- Setup Webhook Receivers
- Setup Notifications
- How to build, publish and consume OCI Artifacts with Flux
Roadmap
The roadmap for the Flux family of projects can be found at https://fluxcd.io/roadmap/.
Contributing
This project is Apache 2.0 licensed and accepts contributions via GitHub pull requests. To start contributing please see the development guide.