The argocd server api-content-type flag does not allow empty content-type header #17057
Comments
Nibiii
changed the title
|
What version are you running? |
|
The problem affects all of the releases that include the fix for security issue GHSA-92mw-q256-5vwg, so that would be 2.7.16, 2.7.17, 2.8.8, 2.8.9, 2.8.10, 2.9.4, 2.9.5, 2.9.6 and 2.9.10. As i stated before, this pull request does not provide the functionality as described. |
|
It seems that this pull request attempted to allow disabling enforcing content type. However the issue is still relevant. Due to using |
|
@Goorsky1 hm, I tested that exact case and am pretty certain that setting an empty string in argocd-cmd-params-cm works. Can you share your test steps? |
|
@crenshaw-dev we have a user that has also hit this. The flaw is here: https://github.com/argoproj/argo-cd/blob/v2.8.10/util/env/env.go#L127-L132 func StringFromEnv(env string, defaultValue string) string {
if str := os.Getenv(env); str != "" { // if env is "", it will return defaultValue, which is application/json
return str
}
return defaultValue
}I think the fix will need to delineate if the env var is not set vs. the env var is set to empty string and disable content-type enforcement if the latter. |
jessesuen
added
bug
In other words, val, present := os.LookupEnv("ARGOCD_API_CONTENT_TYPES")and disable content-type validation if |
Summary
After recent security patch there is no way to accept api requests without content-type header set. The comment here says it should be possible, but it is not. As you can see, the default flag value is either environment variable or "application/json". Setting the default value to env.StringFromEnv("ARGOCD_API_CONTENT_TYPES", "") would allow incoming requests without content-type set to be processed.
The text was updated successfully, but these errors were encountered: