coder

mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00

Files

Dean Sheather 0374af23b2 fix(security)!: path-based app sharing changes (#5772 )

This commit disables path-based app sharing by default. It is possible
for a workspace app on a path (not a subdomain) to make API requests to
the Coder API. When accessing your own workspace, this is not much of a
problem. When accessing a shared workspace app, the workspace owner
could include malicious javascript in the page that makes requests to
the Coder API on behalf of the visitor.

This vulnerability does not affect subdomain apps.

- Disables path-based app sharing by default. Previous behavior can be
  restored using the `--dangerous-allow-path-app-sharing` flag which is
  not recommended.

- Disables users with the site "owner" role from accessing path-based
  apps from workspaces they do not own. Previous behavior can be
  restored using the `--dangerous-allow-path-app-site-owner-access` flag
  which is not recommended.

- Adds a flag `--disable-path-apps` which can be used by
  security-conscious admins to disable all path-based apps across the
  entire deployment. This check is enforced at app-access time, not at
  template-ingest time.

2023-01-18 22:56:14 +00:00

apidoc

fix(security)!: path-based app sharing changes (#5772 )

2023-01-18 22:56:14 +00:00

audit

feat: Auditing group members as part of group resource (#5730 )

2023-01-18 15:13:39 -05:00

autobuild

feat: Add external provisioner daemons (#4935 )

2022-11-16 16:34:06 -06:00

awsidentity

feat: Add AWS instance identity authentication (#570 )

2022-03-28 19:31:03 +00:00

azureidentity

chore: Upgrade to Go 1.19 (#3617 )

2022-08-21 22:32:53 +00:00

coderdtest

feat: add --experiments flag to replace --experimental (#5767 )

2023-01-18 19:12:53 +00:00

database

feat: Auditing group members as part of group resource (#5730 )

2023-01-18 15:13:39 -05:00

devtunnel

fix: Add timeout to selecting a dev tunnel (#4592 )

2022-10-17 18:03:17 +00:00

gitauth

fix: fix security vulnerabilities reported by CodeQL (#5467 )

2022-12-19 19:25:59 +00:00

gitsshkey

feat: Add user scoped git ssh keys (#834 )

2022-04-06 00:18:26 +00:00

httpapi

chore: bump crate-ci/typos from 1.12.12 to 1.13.3 (#5304 )

2022-12-06 11:50:33 +00:00

httpmw

chore!: Standardize prometheus time metrics to seconds (#5709 )

2023-01-13 11:15:25 -06:00

metricscache

site: support high build time variation in progress bar (#4941 )

2022-11-17 16:56:56 +00:00

parameter

fix: Remove unused scopes from parameter computation (#4171 )

2022-09-23 16:09:45 -05:00

prometheusmetrics

fix: coderd/prometheusmetrics wait for all metrics in require.Eventually (#5338 )

2022-12-07 17:50:17 +01:00

provisionerdserver

feat: Add basic support for rich parameters to coderd and provisionerd (#5710 )

2023-01-17 11:22:11 +01:00

rbac

chore: More complete tracing for RBAC functions (#5690 )

2023-01-13 16:07:15 -06:00

telemetry

feat: Add the option to generate a trial license during setup (#5110 )

2022-11-16 17:09:49 -06:00

tracing

feat: tracing improvements (#4988 )

2022-11-29 07:22:10 +10:00

updatecheck

feat: Add support for update checks and notifications (#4810 )

2022-12-01 19:43:28 +02:00

userpassword

Correct spelling of macOS (#3478 )

2022-08-11 21:22:06 -04:00

util

chore: Add generics to typescript generator (#4664 )

2022-10-20 08:15:24 -05:00

wsconncache

fix: Close coordinator in wsconncache test (#5348 )

2022-12-08 11:44:03 +00:00

activitybump_test.go

feat(coderd): activity bump for full TTL instead of 1h (#5732 )

2023-01-16 20:13:34 +00:00

activitybump.go

feat(coderd): activity bump for full TTL instead of 1h (#5732 )

2023-01-16 20:13:34 +00:00

apikey_test.go

feat: add flag for token lifetime (#5385 )

2022-12-12 15:39:31 -05:00

apikey.go

feat: Manage tokens in dashboard (#5444 )

2023-01-13 17:20:03 +00:00

apiroot.go

docs: api root, buildinfo, csp (#5493 )

2022-12-22 15:53:14 +01:00

audit_test.go

Add audit links/kira pilot (#5156 )

2022-12-02 15:14:45 -05:00

audit.go

feat: Auditing group members as part of group resource (#5730 )

2023-01-18 15:13:39 -05:00

authorize_test.go

feat: add template RBAC/groups (#4235 )

2022-10-10 15:37:06 -05:00

authorize.go

docs: applications and authorization (#5477 )

2022-12-21 15:37:30 +01:00

buildinfo.go

docs: api root, buildinfo, csp (#5493 )

2022-12-22 15:53:14 +01:00

client_test.go

fix: workspaceapps: overloaded test server responds with 502s (#5255 )

2022-12-02 23:16:07 +01:00

coderd_test.go

feat: Build framework for generating API docs (#5383 )

2022-12-19 18:43:46 +01:00

coderd.go

feat: add --experiments flag to replace --experimental (#5767 )

2023-01-18 19:12:53 +00:00

csp.go

feat: Validate swagger definitions (#5694 )

2023-01-13 12:27:21 +01:00

deploymentconfig_test.go

fix: move experimental flag to server (#4959 )

2022-11-08 16:59:39 +00:00

deploymentconfig.go

docs: audit, deploymentconfig, files, parameters (#5506 )

2023-01-03 19:21:10 +01:00

experiments_test.go

feat: add --experiments flag to replace --experimental (#5767 )

2023-01-18 19:12:53 +00:00

experiments.go

feat: add --experiments flag to replace --experimental (#5767 )

2023-01-18 19:12:53 +00:00

files_test.go

fix: allow regular users to push files (#4500 )

2022-10-13 18:02:52 -05:00

files.go

feat: Validate swagger definitions (#5694 )

2023-01-13 12:27:21 +01:00

gitsshkey_test.go

Refactor Provisioner to distinguish Plan and Apply (#5036 )

2022-11-11 16:45:58 -06:00

gitsshkey.go

feat: Validate swagger definitions (#5694 )

2023-01-13 12:27:21 +01:00

members.go

docs: API users (#5620 )

2023-01-11 14:08:04 +01:00

organizations_test.go

chore: Use contexts with timeout in coderd tests (#3381 )

2022-08-09 20:17:00 +03:00

organizations.go

feat: Validate swagger definitions (#5694 )

2023-01-13 12:27:21 +01:00

pagination_internal_test.go

chore: Upgrade to Go 1.19 (#3617 )

2022-08-21 22:32:53 +00:00

pagination.go

feat: trace httpapi.{Read,Write} (#4134 )

2022-09-21 17:07:00 -05:00

parameters_test.go

Refactor Provisioner to distinguish Plan and Apply (#5036 )

2022-11-11 16:45:58 -06:00

parameters.go

docs: audit, deploymentconfig, files, parameters (#5506 )

2023-01-03 19:21:10 +01:00

provisionerjobs_internal_test.go

feat: Add buffering to provisioner job logs (#4918 )

2022-11-06 20:50:34 -06:00

provisionerjobs_test.go

Refactor Provisioner to distinguish Plan and Apply (#5036 )

2022-11-11 16:45:58 -06:00

provisionerjobs.go

Updated PreconditionFailed status occurences to more appropriate statuses. (#5513 )

2023-01-13 08:30:48 -06:00

roles_test.go

feat: secure and cross-domain subdomain-based proxying (#4136 )

2022-09-22 22:30:32 +00:00

roles.go

docs: API users (#5620 )

2023-01-11 14:08:04 +01:00

templates_test.go

Updated PreconditionFailed status occurences to more appropriate statuses. (#5513 )

2023-01-13 08:30:48 -06:00

templates.go

Updated PreconditionFailed status occurences to more appropriate statuses. (#5513 )

2023-01-13 08:30:48 -06:00

templateversions_test.go

Updated PreconditionFailed status occurences to more appropriate statuses. (#5513 )

2023-01-13 08:30:48 -06:00

templateversions.go

feat: Add basic support for rich parameters to coderd and provisionerd (#5710 )

2023-01-17 11:22:11 +01:00

updatecheck_test.go

feat: Add support for update checks and notifications (#4810 )

2022-12-01 19:43:28 +02:00

updatecheck.go

docs: api root, buildinfo, csp (#5493 )

2022-12-22 15:53:14 +01:00

userauth_test.go

fix: use UserInfo endpoint with OIDC (#5735 )

2023-01-16 16:06:39 -06:00

userauth.go

fix: use UserInfo endpoint with OIDC (#5735 )

2023-01-16 16:06:39 -06:00

users_internal_test.go

chore: Rename 'admin' to 'owner' (#3498 )

2022-08-15 14:40:19 -05:00

users_test.go

feat: add flag to disaable all rate limits (#5570 )

2023-01-05 18:05:20 +00:00

users.go

feat: Validate swagger definitions (#5694 )

2023-01-13 12:27:21 +01:00

workspaceagents_test.go

feat: Validate Git tokens before consuming them (#5167 )

2022-11-29 12:08:27 -06:00

workspaceagents.go

feat: Add more swagger checks (#5707 )

2023-01-13 16:47:38 +01:00

workspaceapps_internal_test.go

feat: endpoint to logout app subdomain URLs (#5428 )

2022-12-20 18:45:13 +00:00

workspaceapps_test.go

fix(security)!: path-based app sharing changes (#5772 )

2023-01-18 22:56:14 +00:00

workspaceapps.go

fix(security)!: path-based app sharing changes (#5772 )

2023-01-18 22:56:14 +00:00

workspacebuilds_test.go

feat: Expose workspace build parameters via API (#5743 )

2023-01-17 16:24:45 +01:00

workspacebuilds.go

feat: Expose workspace build parameters via API (#5743 )

2023-01-17 16:24:45 +01:00

workspaceresourceauth_test.go

Refactor Provisioner to distinguish Plan and Apply (#5036 )

2022-11-11 16:45:58 -06:00

workspaceresourceauth.go

feat: Validate swagger definitions (#5694 )

2023-01-13 12:27:21 +01:00

workspaces_internal_test.go

Filter query: has-agent connecting, connected, disconnected, timeout (#5145 )

2022-11-24 15:33:13 +01:00

workspaces_test.go

feat: Expose workspace build parameters via API (#5743 )

2023-01-17 16:24:45 +01:00

workspaces.go

feat: Expose workspace build parameters via API (#5743 )

2023-01-17 16:24:45 +01:00