Patches vulnerabilities introduced by goproxy[C] and env settings[L]

switcherapi · Sep 4, 2024 · 9063994 · 9063994
1 parent 32ae280
commit 9063994
Show file tree

Hide file tree

Showing 6 changed files with 9 additions and 4 deletions.
diff --git a/.env.test b/.env.test
@@ -7,6 +7,7 @@ SWITCHER_API_JWT_SECRET=[YOUR_JWT_SECRET]
 
 # Only for testing purposes. Values are loaded from accounts
 API_DOMAIN_ID=
+GIT_USER=
 GIT_TOKEN=
 GIT_TOKEN_READ_ONLY=
 GIT_REPO_URL=https://github.com/switcherapi/switcher-gitops-fixture

diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
@@ -40,6 +40,7 @@ jobs:
         SWITCHER_API_JWT_SECRET: ${{ secrets.SWITCHER_API_JWT_SECRET }}
         API_DOMAIN_ID: ${{ secrets.API_DOMAIN_ID }}
         GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
+        GIT_USER: ${{ secrets.GIT_USER }}
         GIT_TOKEN_READ_ONLY: ${{ secrets.GIT_TOKEN_READ_ONLY }}
         GIT_REPO_URL: ${{ secrets.GIT_REPO_URL }}
         GIT_BRANCH: ${{ secrets.GIT_BRANCH }}

diff --git a/go.mod b/go.mod
@@ -49,3 +49,5 @@ require (
 	go.mongodb.org/mongo-driver v1.16.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
+
+replace github.com/elazarl/goproxy => github.com/elazarl/goproxy v0.0.0-20240726154733-8b0c20506380
diff --git a/go.sum b/go.sum
@@ -18,8 +18,8 @@ github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxG
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/elazarl/goproxy v0.0.0-20240726154733-8b0c20506380 h1:1NyRx2f4W4WBRyg0Kys0ZbaNmDDzZ2R/C7DTi+bbsJ0=
+github.com/elazarl/goproxy v0.0.0-20240726154733-8b0c20506380/go.mod h1:thX175TtLTzLj3p7N/Q9IiKZ7NF+p72cvL91emV0hzo=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/gliderlabs/ssh v0.3.7 h1:iV3Bqi942d9huXnzEF2Mt+CY9gLu8DNM4Obd+8bODRE=

diff --git a/src/core/git.go b/src/core/git.go
@@ -10,6 +10,7 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/object"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/go-git/go-git/v5/storage/memory"
+	"github.com/switcherapi/switcher-gitops/src/config"
 	"github.com/switcherapi/switcher-gitops/src/model"
 )
 
@@ -139,7 +140,7 @@ func (g *GitService) getRepository(fs billy.Filesystem) (*git.Repository, error)
 
 func (g *GitService) getAuth() *http.BasicAuth {
 	return &http.BasicAuth{
-		Username: "git-user",
+		Username: config.GetEnv("GIT_USER"),
 		Password: g.Token,
 	}
 }
diff --git a/src/core/git_test.go b/src/core/git_test.go
@@ -177,7 +177,7 @@ func deleteBranch(branchName string) {
 
 func getAuth() *http.BasicAuth {
 	return &http.BasicAuth{
-		Username: "git-user",
+		Username: appConfig.GetEnv("GIT_USER"),
 		Password: appConfig.GetEnv("GIT_TOKEN"),
 	}
 }