Kubero V3 refactoring #619

mms-gianni · 2025-01-31T13:34:14Z

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

Type of change

Please delete options that are not relevant.

Template (non-breaking change which adds a template)
Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

I've built the image and tested it on a kubernetes cluster

Test Configuration:

Operator Version:
Kubernetes Version:
Kubero CLI Version (if applicable):

Checklist:

I removed unnecessary debug logs
My code follows the style guidelines of this project
I have performed a self-review of my code
I documented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
My changes generate no new warnings

…ith kubero v2.

(WIP) add initial auth function

mms-gianni · 2025-02-05T22:19:52Z

Progress

server-refactored-v3/src/main.ts

server-refactored-v3/src/templates/templates.controller.ts

+      res.send(template);
+    } catch (err) {
+      this.logger.error(err);
+      res.status(500).send(err);


To fix the problem, we need to ensure that the stack trace and any sensitive information contained in the error object are not exposed to the end user. Instead, we should log the error details on the server and send a generic error message to the user. This can be achieved by modifying the catch block to log the error and send a generic message.

server-refactored-v3/src/templates/templates.controller.ts

+      res.send(template);
+    } catch (err) {
+      this.logger.error(err);
+      res.status(500).send(err);


To fix the problem, we need to ensure that the error message is properly sanitized or escaped before being sent in the response. This can be achieved by using a library like he (HTML entities) to escape the error message. This will prevent any malicious content from being interpreted as HTML.

Install the he library to handle HTML escaping.

Import the he library in the templates.controller.ts file.

Use the he.escape function to escape the error message before sending it in the response.

server-refactored-v3/src/templates/templates.service.ts

server-refactored-v3/src/kubernetes/kubernetes.service.ts

… in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

…ain-refactored

server-refactored-v3/src/auth/auth.service.ts

server-refactored-v3/src/users/users.service.ts

server-refactored-v3/src/auth/auth.service.ts

+
+      const password = crypto
+        .createHmac('sha256', process.env.KUBERO_SESSION_KEY)
+        .update(pass)


To fix the problem, we need to replace the current password hashing mechanism with a more secure one, such as bcrypt. This will ensure that the password hashing process is computationally intensive, making it more resistant to brute-force attacks.

Install the bcrypt library if it is not already installed.

Import the bcrypt library in the auth.service.ts file.

Replace the existing SHA-256 hashing code with bcrypt hashing.

Update the password comparison logic to use bcrypt's comparison function.

server-refactored-v3/src/templates/templates.service.ts

+    // decode the base64 encoded URL
+    const templateUrl = Buffer.from(templateB64, 'base64').toString('ascii');
+
+    const template = await axios.get(templateUrl).catch((err) => {


To fix the SSRF vulnerability, we need to validate and restrict the user input to ensure it only allows safe and intended URLs. One way to achieve this is by using an allow-list of trusted base64 encoded URLs. This approach ensures that only predefined and safe URLs can be used in the axios.get request.

Create an allow-list of trusted base64 encoded URLs.

Validate the templateB64 parameter against this allow-list before decoding and using it in the request.

If the templateB64 parameter is not in the allow-list, throw an error.

server-refactored-v3/src/users/users.service.ts

+          );
+          password = crypto
+            .createHmac('sha256', process.env.KUBERO_SESSION_KEY)
+            .update(password)


To fix the problem, we should replace the use of crypto.createHmac('sha256', ...) with a more secure password hashing scheme such as bcrypt. This will ensure that the password hashing process requires significant computational effort, making it more resistant to brute-force attacks.

The best way to fix the problem without changing existing functionality is to use the bcrypt library to hash the passwords. We will need to import the bcrypt library, update the password hashing logic to use bcrypt.hashSync, and ensure that the salt is properly generated and used.

init kubero v3 refactoring

18e7ce3

mms-gianni marked this pull request as draft January 31, 2025 13:34

mms-gianni added 10 commits January 31, 2025 14:41

Update package.json and main.ts to use port 2000 for compatibility w…

e0a84d3

…ith kubero v2.

serve static client

5ba11dd

add and start a websocket

b567546

(WIP) add initial auth function

ba31b7e

Merge pull request #621 from kubero-dev/refactoring/add-authentication

fe1c146

(WIP) add initial auth function

(WIP) add basic swagger config

9a69d4b

add swagger Server and Auth

af26235

add basic routes

7570649

add basic modules

6f413c1

init settings module

613d81a

mms-gianni self-assigned this Feb 3, 2025

mms-gianni added the in progress working on it label Feb 3, 2025

mms-gianni linked an issue Feb 3, 2025 that may be closed by this pull request

Announcing Kubero v3 (Refactoring) #623

Open

mms-gianni added 5 commits February 3, 2025 20:23

WIP settings module

d27cc36

mark migrated types

0d61eae

migrate templates, pipeline, apps and kubectl

87fad09

improve logging, connect to kubernetes

ba268f8

make settings readable

a3a2a29

mms-gianni added 9 commits February 6, 2025 23:17

add some settings endpoints

7486575

make kubernetes a global module

f7b8693

add Addons and Pipeline

c51876e

Migrate templates

bbde7be

Migrate templates

5e57db1

migrate activy view

0b5bf42

migrated pipeline form

92ab455

migrated notifications and pipelines partialy

f52b808

migrated app overview

46fac46

github-advanced-security bot found potential problems Feb 13, 2025

View reviewed changes

server-refactored-v3/src/main.ts Dismissed Show dismissed Hide dismissed

mms-gianni added 2 commits February 13, 2025 21:36

fix logs socket

f3e9728

improve API docs

8ee3040

github-advanced-security bot found potential problems Feb 13, 2025

View reviewed changes

mms-gianni added 2 commits February 14, 2025 09:58

Migrated container console

dcd99b7

Migrate build Jobs

1008ac2

github-advanced-security bot found potential problems Feb 14, 2025

View reviewed changes

server-refactored-v3/src/kubernetes/kubernetes.service.ts Fixed Show fixed Hide fixed

mms-gianni and others added 17 commits February 14, 2025 14:30

Potential fix for code scanning alert no. 205: Uncontrolled data used…

75f71dc

… in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Migrate Metrics

d1b27fc

Merge branch 'main-refactored' of github.com:kubero-dev/kubero into m…

aea52ff

…ain-refactored

Migrate auth page

6dfdcef

migrate to JWT based authentication

2568c76

Migrate to JWT Authentication

908ac4f

show error with wrong credentials

fe8199d

migrate github authentication

b668fdf

rename settings to config

f575299

load auth methods dynamicöy

0eb349e

Migrate setup

26e69c0

add anonymous strategy

826fda0

add auth methods

9b99b3c

make authentication optional

b3ecd8d

some cleanup

87b182d

some more cleanup

e764a09

Use ENV var for user access

270256c

github-advanced-security bot found potential problems Feb 24, 2025

View reviewed changes

server-refactored-v3/src/auth/auth.service.ts Fixed Show resolved Hide resolved

server-refactored-v3/src/users/users.service.ts Fixed Show resolved Hide resolved

linting

8e5bdae

github-advanced-security bot found potential problems Feb 24, 2025

View reviewed changes

mms-gianni added 3 commits February 24, 2025 20:13

fix docker image build

838040c

remove ENV helper

332c35e

add config route

a9c7378

@@ -11,3 +11,3 @@
             import { OKDTO } from 'src/shared/dto/ok.dto';
+            import * as he from 'he';
             @Controller({ path: 'api/templates', version: '1' })
@@ -41,3 +41,3 @@
                   this.logger.error(err);
-                  res.status(500).send(err);
+                  res.status(500).send(he.escape(err.toString()));
                 }

@@ -54,3 +54,4 @@
                 "sshpk": "^1.18.0",
-                "yaml": "^2.7.0"
+                "yaml": "^2.7.0",
+                "he": "^1.2.0"
               },

Package	Version	Security advisories
he (npm)	1.2.0	None

@@ -13,3 +13,3 @@
             import { JwtService } from '@nestjs/jwt';
-            import * as crypto from 'crypto';
+            import * as bcrypt from 'bcrypt';
@@ -36,7 +36,4 @@
-                  const password = crypto
-                    .createHmac('sha256', process.env.KUBERO_SESSION_KEY)
-                    .update(pass)
-                    .digest('hex');
-                  if (user.password === password) {
+                  const passwordMatch = await bcrypt.compare(pass, user.password);
+                  if (passwordMatch) {
                     const { password, ...result } = user;

@@ -7,2 +7,7 @@
               private YAML = require('yaml');
+              private readonly allowedTemplates = [
+                'aHR0cHM6Ly9leGFtcGxlLmNvbS90ZW1wbGF0ZTE=', // base64 for 'https://example.com/template1'
+                'aHR0cHM6Ly9leGFtcGxlLmNvbS90ZW1wbGF0ZTI='  // base64 for 'https://example.com/template2'
+              ];
               constructor() {}
@@ -10,2 +15,7 @@
               async getTemplate(templateB64: string) {
+                // validate the base64 encoded URL
+                if (!this.allowedTemplates.includes(templateB64)) {
+                  throw new Error('Invalid template URL');
+                }
                 // decode the base64 encoded URL

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Kubero V3 refactoring #619

Kubero V3 refactoring #619

mms-gianni commented Jan 31, 2025 •

edited

Loading

mms-gianni commented Feb 5, 2025

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Kubero V3 refactoring #619

Are you sure you want to change the base?

Kubero V3 refactoring #619

Conversation

mms-gianni commented Jan 31, 2025 • edited Loading

Description

Type of change

How Has This Been Tested?

Checklist:

mms-gianni commented Feb 5, 2025

mms-gianni commented Jan 31, 2025 •

edited

Loading