Merge branch 'master' into usermanagment_improvements

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,7 +1,9 @@
 ---
-name: "\U0001f41b Bug report"
+name: "\U0001F41B Bug report"
 about: Create a report to help improve the project
+title: ''
 labels: bug
+assignees: ''
 
 ---
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,7 +1,9 @@
 ---
-name: "\U0001f6f8 Feature request"
+name: "\U0001F6F8 Feature request"
 about: Suggest an idea that will improve the project
-labels: enhancement
+title: ''
+labels: ''
+assignees: ''
 
 ---
 

.github/ISSUE_TEMPLATE/question.md

@@ -1,7 +1,10 @@
 ---
 name: "\U0001F914 Question"
 about: Question not answered in our community meetings, Docs or Readme.
-labels: question
+title: ''
+labels: ''
+assignees: ''
+
 ---
 
 ## Question

.github/ISSUE_TEMPLATE/security-issue.md

@@ -0,0 +1,23 @@
+---
+name: Security Issue
+about: Report the potential vulnerability or security issue
+title: 'seclog: [Event Description] '
+labels: security, vulnerability
+assignees: Saranya-jena, Jonsy13, SarthakJain26
+
+---
+
+### Summary
+_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._
+
+### Details
+_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._
+
+### PoC
+_Complete instructions, including specific configuration details, to reproduce the vulnerability._
+
+### Impact
+_What kind of vulnerability is it? Who is impacted?_
+
+### Remediation
+_Propose a remediation suggestion if you have one. Make it clear that this is just a suggestion, as the maintainer might have a better idea to fix the issue._

README.md

@@ -9,7 +9,7 @@
 [![GitHub stars](https://img.shields.io/github/stars/litmuschaos/litmus?style=social)](https://github.com/litmuschaos/litmus/stargazers)
 [![GitHub issues](https://img.shields.io/github/issues/litmuschaos/litmus)](https://github.com/litmuschaos/litmus/issues)
 [![Twitter Follow](https://img.shields.io/twitter/follow/litmuschaos?style=social)](https://twitter.com/LitmusChaos)
-[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3202/badge)](https://bestpractices.coreinfrastructure.org/projects/3202)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/3202/badge)](https://www.bestpractices.dev/projects/3202)
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Flitmuschaos%2Flitmus.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Flitmuschaos%2Flitmus?ref=badge_shield)
 [![YouTube Channel](https://img.shields.io/badge/YouTube-Subscribe-red)](https://www.youtube.com/channel/UCa57PMqmz_j0wnteRa9nCaw)
 <br><br><br><br>

SECURITY.md

@@ -1,11 +1,30 @@
 # SECURITY
 
-This page borrows parts of its contents from https://kubernetes.io/security/
-
-## Report a Vulnerability
+## Reporting a Vulnerability
 
 We are extremely grateful for security researchers and users that report vulnerabilities to the LitmusChaos Open Source Community. All reports are thoroughly investigated by a set of community members.
 
+To report a litmuschaos vulnerability, either:
+
+1. Report it on Github directly:
+
+    Navigate to the security tab on the repository
+    ![Github Security Tab](./images/securityreport.png)
+
+    Click on 'Advisories'
+    ![Github Advisories tab](./images/security-reporting2.png)
+
+    Click on 'Report a vulnerability'
+
+
+2. Send an email to `[email protected]` detailing the issue and steps
+to reproduce.
+
+The reporter(s) can expect a response within 24 hours acknowledging
+the issue was received. If a response is not received within 24 hours, please
+reach out to any committer directly to confirm receipt of the issue.
+
+
 To make a report, submit your vulnerability to all security contacts of LitmusChaos [listed below](#security-contacts). This allows triage and handling of the vulnerability with standardized response times.
 
 ### When Should I Report a Vulnerability?
@@ -20,6 +39,63 @@ To make a report, submit your vulnerability to all security contacts of LitmusCh
 - You need help applying security-related updates
 - Your issue is not security-related
 
+
+## Review Process
+
+Once a committer has confirmed the relevance of the report, a draft security
+advisory will be created on Github. The draft advisory will be used to discuss
+the issue with committers, the reporter(s), and litmuschaos's security advisors.
+If the reporter(s) wishes to participate in this discussion, then provide
+reporter Github username(s) to be invited to the discussion. If the reporter(s)
+does not wish to participate directly in the discussion, then the reporter(s)
+can request to be updated regularly via email.
+
+If the vulnerability is accepted, a timeline for developing a patch, public
+disclosure, and patch release will be determined. If there is an embargo period
+on public disclosure before the patch release, an announcment will be sent to
+the security announce mailing list announcing the scope of the vulnerability, the date of availability of the
+patch release, and the date of public disclosure. The reporter(s) are expected
+to participate in the discussion of the timeline and abide by agreed upon dates
+for public disclosure.
+
+## Security Vulnerability Response
+
+Each report is acknowledged and analyzed by the security contacts within 5 working days. This will set off the [Security Release Process](#process).
+
+Any vulnerability information shared with the LitmusChaos security contacts stays within LitmusChaos project and will not be disseminated to other projects unless it is necessary to get the issue fixed.
+
+## Public Disclosure Timing
+
+A public disclosure date is negotiated by the LitmusChaos Security Committee and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it is already publicly known) to a few weeks. For a vulnerability with a straightforward mitigation, we expect report date to disclosure date to be on the order of 7 days. The LitmusChaos Security Committee holds the final say when setting a disclosure date.
+
+## Process
+
+If you find a security-related bug in LitmusChaos, we kindly ask you for responsible disclosure and for giving us appropriate time to react, analyze, and develop a fix to mitigate the found security vulnerability. The security contact will investigate the issue within 5 working days.
+
+The team will react promptly to fix the security issue and its workaround/fix will be published on our release notes. 
+
+## Supported Versions
+
+See the [litmuschaos release page]()
+for information on supported versions of litmuschaos. Any `Extended` or `Active`
+release branch may receive security updates. For any security issues discovered
+on older versions, non-core packages, or dependencies, please inform committers
+using the same security mailing list as for reporting vulnerabilities.
+
+## Joining the security announce mailing list
+
+Any organization or individual who directly uses litmuschaos and non-core
+packages in production or in a security critical application is eligible to join
+the security announce mailing list. Indirect users who use litmuschaos through a
+vendor are not expected to join, but should request their vendor join. To join
+the mailing list, the individual or organization must be sponsored by either a
+litmuschaos committer or security advisor as well as have a record of properly
+handling non-public security information. If a sponsor cannot be found,
+sponsorship may be requested at `[email protected]`. Sponsorship should not
+be requested via public channels since membership of the security announce list
+is not public.
+
+
 ## Security Vulnerability Response
 
 Each report is acknowledged and analyzed by the security contacts within 5 working days. This will set off the [Security Release Process](#process).
@@ -40,6 +116,6 @@ The team will react promptly to fix the security issue and its workaround/fix wi
 
 Defined below are the security contacts for this repository. In case you identify any security issue, please reach out to all of the security contacts.
 
-- @ksatchit (karthik satchitanand, karthik@chaosnative.com) 
-- @rajdas98 (raj babu das, raj@chaosnative.com)
+- @ksatchit (karthik satchitanand, karthik[email protected]) 
+- @rajdas98 (raj babu das, raj[email protected])
 

chaoscenter/graphql/server/go.mod

@@ -17,6 +17,7 @@ require (
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/litmuschaos/chaos-operator v0.0.0-20230718113617-6819a4be12e4
 	github.com/litmuschaos/chaos-scheduler v0.0.0-20220714173615-d7513d616a71
+	github.com/mrz1836/go-sanitize v1.3.1
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.0
 	github.com/stretchr/testify v1.8.4

chaoscenter/graphql/server/go.sum

@@ -875,6 +875,8 @@ github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c/go.mod h1:BbKIizmSmc5
 github.com/mozilla/tls-observatory v0.0.0-20180409132520-8791a200eb40/go.mod h1:SrKMQvPiws7F7iqYp8/TX+IhxCYhzr6N/1yb8cwHsGk=
 github.com/mrunalp/fileutils v0.0.0-20160930181131-4ee1cc9a8058/go.mod h1:x8F1gnqOkIEiO4rqoeEEEqQbo7HjGMTvyoq3gej4iT0=
 github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618/go.mod h1:x8F1gnqOkIEiO4rqoeEEEqQbo7HjGMTvyoq3gej4iT0=
+github.com/mrz1836/go-sanitize v1.3.1 h1:bTxpzDXzGh9cp3XLTeVKgL2iLqEwCaLqqe+3BmpnCbo=
+github.com/mrz1836/go-sanitize v1.3.1/go.mod h1:Js6Gq1uiarNReoOeOKxPXxNpKy1FRlbgDDZnJG4THdM=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/munnerz/goautoneg v0.0.0-20190414153302-2ae31c8b6b30/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=

chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml

@@ -141,7 +141,7 @@ rules:
 
   - apiGroups: ['']
     resources: ['namespaces']
-    verbs: ['get', 'watch', 'patch', 'list']
+    verbs: ['get', 'watch', 'patch', 'list', 'create']
 
   # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
   - apiGroups: ['']

chaoscenter/graphql/server/pkg/chaos_experiment/handler/handler.go

@@ -159,7 +159,7 @@ func (c *ChaosExperimentHandler) SaveChaosExperiment(ctx context.Context, reques
 	return "experiment saved successfully", nil
 }
 
-func (c *ChaosExperimentHandler) CreateChaosExperiment(ctx context.Context, request *model.ChaosExperimentRequest, projectID string, r *store.StateData) (*model.ChaosExperimentResponse, error) {
+func (c *ChaosExperimentHandler) CreateChaosExperiment(ctx context.Context, request *model.ChaosExperimentRequest, projectID string) (*model.ChaosExperimentResponse, error) {
 
 	var revID = uuid.New().String()
 
@@ -182,7 +182,7 @@ func (c *ChaosExperimentHandler) CreateChaosExperiment(ctx context.Context, requ
 
 	tkn := ctx.Value(authorization.AuthKey).(string)
 	uid, err := authorization.GetUsername(tkn)
-	err = c.chaosExperimentService.ProcessExperimentCreation(context.TODO(), newRequest, uid, projectID, wfType, revID, r)
+	err = c.chaosExperimentService.ProcessExperimentCreation(context.TODO(), newRequest, uid, projectID, wfType, revID, nil)
 	if err != nil {
 		return nil, err
 	}

chaoscenter/graphql/server/pkg/chaos_experiment/handler/handler_test.go

@@ -234,7 +234,7 @@ func TestChaosExperimentHandler_CreateChaosExperiment(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			mockServices := NewMockServices()
-			got, err := mockServices.ChaosExperimentHandler.CreateChaosExperiment(tt.args.ctx, tt.args.request, tt.args.projectID, tt.args.r)
+			got, err := mockServices.ChaosExperimentHandler.CreateChaosExperiment(tt.args.ctx, tt.args.request, tt.args.projectID)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ChaosExperimentHandler.CreateChaosExperiment() error = %v, wantErr %v", err, tt.wantErr)
 				return

chaoscenter/graphql/server/pkg/chaos_experiment/ops/service.go

@@ -833,7 +833,6 @@ func (c *chaosExperimentService) processChaosScheduleManifest(ctx context.Contex
 func (c *chaosExperimentService) UpdateRuntimeCronWorkflowConfiguration(cronWorkflowManifest v1alpha1.CronWorkflow, experiment dbChaosExperiment.ChaosExperimentRequest) (v1alpha1.CronWorkflow, []string, error) {
 	var (
 		faults []string
-		probes []dbChaosExperimentRun.Probes
 	)
 	for i, template := range cronWorkflowManifest.Spec.WorkflowSpec.Templates {
 		artifact := template.Inputs.Artifacts
@@ -867,10 +866,6 @@ func (c *chaosExperimentService) UpdateRuntimeCronWorkflowConfiguration(cronWork
 							annotationArray = append(annotationArray, annotationKey.Name)
 						}
 					}
-					probes = append(probes, dbChaosExperimentRun.Probes{
-						FaultName:  artifact[0].Name,
-						ProbeNames: annotationArray,
-					})
 
 					meta.Annotations = annotation
 

chaoscenter/graphql/server/pkg/chaos_infrastructure/service.go

@@ -86,6 +86,11 @@ func (in *infraService) RegisterInfra(c context.Context, projectID string, input
 		return nil, errors.New("infra already exists in this project with the same name")
 	}
 
+	// Check if EnvironmentID is valid
+	if _, err := in.envOperator.GetEnvironmentDetails(c, input.EnvironmentID, projectID); err != nil {
+		return nil, errors.New("Invalid EnvironmentID")
+	}
+
 	if (*input.InfraNsExists && input.InfraNamespace == nil) || (*input.InfraNsExists && *input.InfraNamespace == "") {
 		return nil, errors.New("InfraNamespace parameter is required if InfraNsExists is true")
 	}

chaoscenter/graphql/server/pkg/chaoshub/handler/handler.go

@@ -12,6 +12,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/mrz1836/go-sanitize"
+
 	"github.com/gin-gonic/gin"
 	"github.com/litmuschaos/litmus/chaoscenter/graphql/server/graph/model"
 	chaoshubops "github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/chaoshub/ops"
@@ -169,7 +171,7 @@ func DownloadRemoteHub(hubDetails model.CreateRemoteChaosHub, projectID string)
 	defer destDir.Close()
 
 	//download the zip file from the provided url
-	download, err := http.Get(hubDetails.RepoURL)
+	download, err := http.Get(sanitize.URL(hubDetails.RepoURL))
 	if err != nil {
 		log.Error(err)
 		return err

chaoscenter/graphql/server/pkg/chaoshub/service.go

@@ -1010,7 +1010,7 @@ func (c *chaosHubService) listDefaultHubs() *model.ChaosHub {
 	defaultHubs := &model.ChaosHub{
 		ID:         DefaultHubID,
 		Name:       "Litmus ChaosHub",
-		RepoURL:    "https://github.com/litmuschaos/chaos-charts",
+		RepoURL:    utils.Config.DefaultHubGitURL,
 		RepoBranch: utils.Config.DefaultHubBranchName,
 		IsDefault:  true,
 	}