open-nomad/.semgrep
Tim Gross 9d906d4632 variables: fix filter on List RPC
The List RPC correctly authorized against the prefix argument. But when
filtering results underneath the prefix, it only checked authorization for
standard ACL tokens and not Workload Identity. This results in WI tokens being
able to read List results (metadata only: variable paths and timestamps) for
variables under the `nomad/` prefix that belong to other jobs in the same
namespace.

Fixes the filtering and split the `handleMixedAuthEndpoint` function into
separate authentication and authorization steps so that we don't need to
re-verify the claim token on each filtered object.

Also includes:
* update semgrep rule for mixed auth endpoints
* variables: List returns empty set when all results are filtered
2022-10-27 13:08:05 -04:00
..
api_errorf.yml api: use errors.New not fmt.Errorf when error doesn't have format. (#14027) 2022-08-05 17:05:47 +02:00
changelog.yml
fsm_time.yml semgrep: add MeasureSinceWithLabels to FSM time rule (#14812) 2022-10-06 10:59:53 -04:00
go_tests.yml ci: do not exclude Parallel semgrep rule 2022-03-17 13:45:56 -05:00
loopclosure.yml Data race fixes in tests and a new semgrep rule (#14594) 2022-09-15 10:35:08 -07:00
rpc_endpoint.yml variables: fix filter on List RPC 2022-10-27 13:08:05 -04:00
time_after.yml add semgrep rule to check for potential time.After leaks (#12001) 2022-02-03 17:33:07 -05:00
ui.yml ci: add semgrep rule to catch usage of invalid string extensions (#12509) 2022-04-08 10:58:32 -04:00