Release/v2.4.5 #570

mms-gianni · 2024-12-23T15:52:17Z

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

Type of change

Please delete options that are not relevant.

Template (non-breaking change which adds a template)
Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

I've built the image and tested it on a kubernetes cluster

Test Configuration:

Operator Version:
Kubernetes Version:
Kubero CLI Version (if applicable):

Checklist:

I removed unnecessary debug logs
My code follows the style guidelines of this project
I have performed a self-review of my code
I documented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
My changes generate no new warnings

improve template download

Fix / Cors headers not applied

Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 7.0.3 to 7.0.6. - [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md) - [Commits](moxystudio/node-cross-spawn@v7.0.3...v7.0.6) --- updated-dependencies: - dependency-name: cross-spawn dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>

…tartup Feature/improve standallone startup

…t/cross-spawn-7.0.6 Bump cross-spawn from 7.0.3 to 7.0.6 in /client

add search and category select fields

client/src/components/setup/index.vue

+      //this.dotenv.KUBECONFIG_BASE64 = Buffer.from(this.kubeConfig).toString('base64')
+      this.dotenv.KUBERO_CONTEXT = this.kubeContext
+      this.dotenv.KUBERO_SESSION_KEY = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15)
+      this.dotenv.KUBERO_WEBHOOK_SECRET = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15)


To fix the problem, we need to replace the use of Math.random() with a cryptographically secure random number generator. In the browser environment, we can use window.crypto.getRandomValues to generate secure random values. This will ensure that the generated session keys and webhook secrets are not easily predictable.

We will modify the generateConfig method to use window.crypto.getRandomValues instead of Math.random(). Specifically, we will generate a secure random string by converting random bytes to a base64 string.

server/src/routes/config.ts

@@ -66,6 +67,55 @@
    res.send(await req.app.locals.settings.getDefaultRegistry());
 });

+Router.post('/config/k8s/kubeconfig/validate', authMiddleware, async function (req: Request, res: Response) {


To fix the problem, we need to introduce rate limiting to the route handlers in the server/src/routes/config.ts file. The best way to do this is by using the express-rate-limit package, which allows us to easily set up rate limiting middleware. We will configure a rate limiter and apply it to the specific routes that perform potentially expensive operations.

Install the express-rate-limit package.

Import the express-rate-limit package in the server/src/routes/config.ts file.

Configure a rate limiter with appropriate settings (e.g., maximum number of requests per minute).

Apply the rate limiter to the relevant route handlers.

server/src/routes/config.ts

+    res.send(result);
+});
+
+Router.post('/config/setup/save', authMiddleware, async function (req: Request, res: Response) {


To fix the problem, we need to introduce rate limiting to the route handlers that perform authorization and other potentially expensive operations. The best way to do this is by using the express-rate-limit package, which allows us to easily set up and apply rate limiting middleware to our routes.

Install the express-rate-limit package.

Import the express-rate-limit package in the server/src/routes/config.ts file.

Set up a rate limiter with appropriate configuration (e.g., maximum number of requests per time window).

Apply the rate limiter to the relevant routes.

server/src/routes/config.ts

+    res.send(resultUpdateConfig);
+});
+
+Router.get('/config/setup/check/:component', authMiddleware, async function (req: Request, res: Response) {


To fix the problem, we need to introduce rate limiting to the route handlers in the server/src/routes/config.ts file. We will use the express-rate-limit package to achieve this. The rate limiter will be configured to allow a maximum of 100 requests per 15 minutes for each IP address. This will help prevent abuse and potential denial-of-service attacks.

Install the express-rate-limit package.

Import the express-rate-limit package in the server/src/routes/config.ts file.

Configure the rate limiter with appropriate settings.

Apply the rate limiter to the route handlers that perform potentially expensive operations.

mms-gianni and others added 16 commits November 15, 2024 00:04

improve template download

dc61372

Merge pull request #490 from kubero-dev/feature/singlefile-download

4e7331f

improve template download

fix standallone running instances

86d645a

ingress annotations need to be strings

fcc9828

Merge pull request #518 from kubero-dev/fix/cors-header-not-active

dc9377e

Fix / Cors headers not applied

add setup view

200de78

improve setup UI

20f667c

improve setup process

5ba3f23

improve log output druing startup

0f7f4f9

Merge pull request #532 from kubero-dev/feature/improve-standallone-s…

471de1f

…tartup Feature/improve standallone startup

Merge branch 'main' into release/v2.4.5

a248300

Merge pull request #533 from kubero-dev/dependabot/npm_and_yarn/clien…

6cc8eba

…t/cross-spawn-7.0.6 Bump cross-spawn from 7.0.3 to 7.0.6 in /client

add search and category select fields

2e73f82

Merge pull request #559 from kubero-dev/feature/improve-template-view

c2d6ea8

add search and category select fields

make annotations

b4fe56f

mms-gianni merged commit 74e82c4 into main Dec 23, 2024
1 check passed

github-advanced-security bot found potential problems Dec 23, 2024

View reviewed changes

@@ -530,6 +530,10 @@
                   this.dotenv.KUBERO_CONTEXT = this.kubeContext
-                  this.dotenv.KUBERO_SESSION_KEY = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15)
-                  this.dotenv.KUBERO_WEBHOOK_SECRET = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15)
+                  this.dotenv.KUBERO_SESSION_KEY = this.generateSecureRandomString(30)
+                  this.dotenv.KUBERO_WEBHOOK_SECRET = this.generateSecureRandomString(30)
+                },
+                generateSecureRandomString(length) {
+                  const array = new Uint8Array(length);
+                  window.crypto.getRandomValues(array);
+                  return Array.from(array, byte => ('0' + byte.toString(36)).slice(-2)).join('').substring(0, length);
                 }
-              },
             })

@@ -2,2 +2,3 @@
             import { Auth } from '../modules/auth';
+            import rateLimit from 'express-rate-limit';
@@ -10,2 +11,6 @@
+            const limiter = rateLimit({
+                windowMs: 15 * 60 * 1000, // 15 minutes
+                max: 100, // limit each IP to 100 requests per windowMs
+            });
@@ -69,3 +74,3 @@
-            Router.post('/config/k8s/kubeconfig/validate', authMiddleware, async function (req: Request, res: Response) {
+            Router.post('/config/k8s/kubeconfig/validate', authMiddleware, limiter, async function (req: Request, res: Response) {
                 // #swagger.tags = ['UI']

@@ -51,3 +51,4 @@
                 "uuid": "^8.3.2",
-                "yaml": "^2.1.1"
+                "yaml": "^2.1.1",
+                "express-rate-limit": "^7.5.0"
               },

Package	Version	Security advisories
express-rate-limit (npm)	7.5.0	None

@@ -2,2 +2,3 @@
             import { Auth } from '../modules/auth';
+            import rateLimit from 'express-rate-limit';
@@ -10,2 +11,6 @@
+            const limiter = rateLimit({
+                windowMs: 15 * 60 * 1000, // 15 minutes
+                max: 100, // limit each IP to 100 requests per windowMs
+            });
@@ -14,3 +19,2 @@
             debug('app:routes')
             Router.get('/config', authMiddleware, async function (req: Request, res: Response) {
@@ -69,3 +73,3 @@
-            Router.post('/config/k8s/kubeconfig/validate', authMiddleware, async function (req: Request, res: Response) {
+            Router.post('/config/k8s/kubeconfig/validate', limiter, authMiddleware, async function (req: Request, res: Response) {
                 // #swagger.tags = ['UI']
@@ -80,3 +84,3 @@
-            Router.post('/config/setup/save', authMiddleware, async function (req: Request, res: Response) {
+            Router.post('/config/setup/save', limiter, authMiddleware, async function (req: Request, res: Response) {
                 // #swagger.tags = ['UI']

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release/v2.4.5 #570

Release/v2.4.5 #570

mms-gianni commented Dec 23, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Release/v2.4.5 #570

Release/v2.4.5 #570

Conversation

mms-gianni commented Dec 23, 2024

Description

Type of change

How Has This Been Tested?

Checklist: