Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency @backstage/plugin-scaffolder-backend to v1.15.0 [SECURITY] #102

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency @backstage/plugin-scaffolder-backend to v1.15.0 [SECURITY] #102

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 21, 2023
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@backstage/plugin-scaffolder-backend (source) 1.6.0 -> 1.15.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-35926

The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, as it by design allows for code injection. The library used for this sandbox so far has been vm2, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library.

Impact

A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data.

Patches

This is vulnerability is fixed in version 1.15.0 of @backstage/plugin-scaffolder-backend.

Workarounds

Note that the Backstage Threat Model states that scaffolder templates are considered to be a sensitive area that with the recommendation that you control access and perform manual reviews of changes to the scaffolder templates. The exploit is of a nature where it is easily discoverable in manual review.

Release Notes

backstage/backstage (@​backstage/plugin-scaffolder-backend)

v1.15.0

Compare Source

Minor Changes

  • 84b0e47: Add TargetBranchName variable and output for the publish:gitlab:merge-request and publish:github:pull-request s'cascaffolder actions.

  • 6a694ce: Add a scaffolder action that pull-requests for bitbucket server

  • 1948845: Added github:deployKey:create and github:environment:create scaffolder actions. You will need to add read/write permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository Administration (for deploy key functionality) and Environments (for Environment functionality)

  • df84117: Add support for Repository Variables and Secrets to the publish:github and github:repo:create scaffolder actions. You will need to add read/write permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository Secrets and Variables

    Upgrade octokit introduces some breaking changes.

Patch Changes

v1.14.0

Compare Source

Minor Changes

  • 67115f5: Expose both types of scaffolder permissions and rules through the metadata endpoint.

    The metadata endpoint now correctly exposes both types of scaffolder permissions and rules (for both the template and action resource types) through the metadata endpoint.

  • a73b3c0: Add ability to use defaultNamespace and defaultKind for scaffolder action catalog:fetch

Patch Changes

v1.13.1

Compare Source

This release bumps the minimum required version of vm2 to 3.9.17

v1.13.0

Compare Source

Minor Changes

  • 2b15cb4: The non-PR/MR Git Actions now return the commit hash of the commit pushed as a new output called commitHash, isomorphic-git is now on version 1.23.0

  • 30ffdae: Added fetch:plain:file action to fetch a single file, this action is also added to the list of built-in actions.

  • 65e989f: Added the possibility to authorize parameters and steps of a template

    The scaffolder plugin is now integrated with the permission framework.
    It is possible to toggle parameters or actions within templates by marking each section with specific tags, inside a backstage:permissions property under each parameter or action. Each parameter or action can then be permissioned by using a conditional decision containing the scaffolderTemplateRules.hasTag rule.

  • 3b68b09: Renamed permissionApi router option to permissions

  • bcae5aa: Added the possibility to authorize actions

    It is now possible to decide who should be able to execute certain actions or who should be able to pass specific input to specified actions.

    Some of the existing utility functions for creating conditional decisions have been renamed:

    • createScaffolderConditionalDecision has been renamed to createScaffolderActionConditionalDecision
    • scaffolderConditions has been renamed to scaffolderTemplateConditions

  • d7c8c22: Allow for a commit message to differ from the PR title when publishing a GitHub pull request.

  • 95ea9f6: Provide some more default filters out of the box and refactoring how the filters are applied to the SecureTemplater.

    • parseEntityRef will take an string entity triplet and return a parsed object.
    • pick will allow you to reference a specific property in the piped object.

    So you can now combine things like this: ${{ parameters.entity | parseEntityRef | pick('name') }} to get the name of a specific entity, or ${{ parameters.repoUrl | parseRepoUrl | pick('owner') }} to get the owner of a repo.

Patch Changes

v1.12.0

Compare Source

Minor Changes
  • 7d724d8: Added the ability to be able to define an actions input and output schema using zod instead of hand writing types and jsonschema
Patch Changes

v1.11.0

Compare Source

Minor Changes
  • 0b2952e: Added the option to overwrite files in the targetPath of the template:fetch action
  • 1271549: Renamed the export scaffolderCatalogModule to catalogModuleTemplateKind in order to follow the new recommended naming patterns of backend system items. This is technically a breaking change but in an alpha export, so take care to change your imports if you have already migrated to the new backend system.
Patch Changes

v1.10.1

Compare Source

  • Fixed an issue were the log redaction didn't properly escape RegExp characters.
  • Fixed an issue with the resolution of @rjsf/* libraries were incompatible

v1.10.0

Compare Source

Minor Changes

  • a6808b6: Implement Required approving review count, Restrictions, and Required commit signing support for publish:github action

  • 04a2048: Allow custom repository roles to be configured on github repos

  • c0ad734: Add Scaffolder action catalog:fetch to get entity by entity reference from catalog

  • b44eb68: This change adds changes to provide examples alongside scaffolder task actions.

    The createTemplateAction function now takes a list of examples e.g.

    const actionExamples = [
  {
    description: 'Example 1',
    example: yaml.stringify({
      steps: [
        {
          action: 'test:action',
          id: 'test',
          input: {
            input1: 'value',
          },
        },
      ],
    }),
  },
];

export function createTestAction() {
  return createTemplateAction({
      id: 'test:action',
      examples: [
          {
              description: 'Example 1',
              examples: actionExamples
          }
      ],
      ...,
  });

    These examples can be retrieved later from the api.

    curl http://localhost:7007/api/scaffolder/v2/actions
    [
  {
    "id": "test:action",
    "examples": [
      {
        "description": "Example 1",
        "example": "steps:\n  - action: test:action\n    id: test\n    input:\n      input1: value\n"
      }
    ],
    "schema": {
      "input": {
        "type": "object",
        "properties": {
          "input1": {
            "title": "Input 1",
            "type": "string"
          }
        }
      }
    }
  }
]

  • 72d6b9f: Added ability to override the commit message and author details for the publish:bitbucketServer action.

  • a69664f: Add Github repository support for squash merge commit title and message options

Patch Changes

v1.9.0

Compare Source

Minor Changes

  • a20a0ea: Added requiredConversationResolution template option to github:repo:create, github:repo:push and publish:github

  • b32005e: Deprecated the taskWorkers option in RouterOptions in favor of concurrentTasksLimit which sets the limit of concurrent tasks in a single TaskWorker

    TaskWorker can now run multiple (defaults to 10) tasks concurrently using the concurrentTasksLimit option available in both RouterOptions and CreateWorkerOptions.

    To use the option to create a TaskWorker:

    const worker = await TaskWorker.create({
    taskBroker,
    actionRegistry,
    integrations,
    logger,
    workingDirectory,
    additionalTemplateFilters,
+   concurrentTasksLimit: 10 // (1 to Infinity)
});

  • fc51bd8: Add support for disabling Github repository wiki, issues and projects

  • 0053d07: Update the github:publish action to allow passing wether to dismiss stale reviews on the protected default branch.

Patch Changes

v1.8.0

Compare Source

Minor Changes

  • ea14eb6: Added a set of default Prometheus metrics around scaffolding. See below for a list of metrics and an explanation of their labels:

    • scaffolder_task_count: Tracks successful task runs.

      Labels:

      • template: The entity ref of the scaffolded template
      • user: The entity ref of the user that invoked the template run
      • result: A string describing whether the task ran successfully, failed, or was skipped

    • scaffolder_task_duration: a histogram which tracks the duration of a task run

      Labels:

      • template: The entity ref of the scaffolded template
      • result: A boolean describing whether the task ran successfully

    • scaffolder_step_count: a count that tracks each step run

      Labels:

      • template: The entity ref of the scaffolded template
      • step: The name of the step that was run
      • result: A string describing whether the task ran successfully, failed, or was skipped

    • scaffolder_step_duration: a histogram which tracks the duration of each step run

      Labels:

      • template: The entity ref of the scaffolded template
      • step: The name of the step that was run
      • result: A string describing whether the task ran successfully, failed, or was skipped

    You can find a guide for running Prometheus metrics here: https://github.com/backstage/backstage/blob/master/contrib/docs/tutorials/prometheus-metrics.md

  • 5921b5c: - The GitLab Project ID for the publish:gitlab:merge-request action is now passed through the query parameter project in the repoUrl. It still allows people to not use the projectid and use the repoUrl with the owner and repo query parameters instead. This makes it easier to publish to repositories instead of writing the full path to the project.

  • 5025d2e: Adds the ability to pass (an optional) array of strings that will be applied to the newly scaffolded repository as topic labels.

Patch Changes

v1.7.0

Compare Source

Minor Changes
  • 253453f: Added a new property called additionalTemplateGlobals which allows you to add global functions to the scaffolder nunjucks templates.
  • 17ff771: Update the github:publish action to allow passing whether pull
    requests must be up to date with the default branch before merging.
  • 304305d: Add allowAutoMerge option for publish:github action
  • 694bfe2: Add functionality to shutdown scaffolder tasks if they are stale
  • a8e9848: Added optional sourcePath parameter to publish:gitlab:merge-request action, targetPath is now optional and falls back to current workspace path.
Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner June 21, 2023 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jordankainos jordankainos Awaiting requested review from jordankainos jordankainos is a code owner automatically assigned from hmcts/platform-operations

@kunlebalogun kunlebalogun Awaiting requested review from kunlebalogun kunlebalogun is a code owner automatically assigned from hmcts/platform-operations

@mananpatel26 mananpatel26 Awaiting requested review from mananpatel26 mananpatel26 is a code owner automatically assigned from hmcts/platform-operations

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants