mirror of
https://github.com/coder/coder.git
synced 2025-07-12 00:14:10 +00:00
345a239838
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.3.0 to 1.4.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/open-policy-agent/opa/releases">github.com/open-policy-agent/opa's releases</a>.</em></p> <blockquote> <h2>v1.4.2</h2> <p>This is a bug fix release addressing the missing <code>capabilities/v1.4.1.json</code> in the v1.4.1 release.</p> <h2>v1.4.1</h2> <p>⚠️ Please skip this release and go straight to v1.4.2 ⚠️ This release is broken due to a mistake during the release process and the artifacts are missing a crucial capabilities file. Sorry for any inconvenience.</p> <hr /> <p>This is a security fix release for the fixes published in Go <a href="https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI">1.24.1</a> and <a href="https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk">1.24.2</a></p> <ul> <li>build: bump go to 1.24.2 (<a href="https://redirect.github.com/open-policy-agent/opa/issues/7544">#7544</a>) (authored by <a href="https://github.com/sspaink"><code>@sspaink</code></a>) Addressing <code>CVE-2025-22870</code> and <code>CVE-2025-22871</code> vulnerabilities in the Go runtime.</li> </ul> <h2>v1.4.0</h2> <p>This release contains a security fix addressing CVE-2025-46569. It also includes a mix of new features, bugfixes, and dependency updates.</p> <h4>Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (<a href="https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7">GHSA-6m8w-jc87-6cr7</a>)</h4> <p>A vulnerability in the OPA server's <a href="https://www.openpolicyagent.org/docs/latest/rest-api/#data-api">Data API</a> allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.<br /> The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.</p> <p><strong>Users are only impacted if all of the following apply:</strong></p> <ul> <li>OPA is deployed as a standalone server (rather than being used as a Go library)</li> <li>The OPA server is exposed outside of the local host in an untrusted environment.</li> <li>The configured <a href="https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization">authorization policy</a> does not do exact matching of the input.path attribute when deciding if the request should be allowed.</li> </ul> <p><strong>or, if all of the following apply:</strong></p> <ul> <li>OPA is deployed as a standalone server.</li> <li>The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.</li> </ul> <p>Note: With <strong>no</strong> <a href="https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization">Authorization Policy</a> configured for restricting API access (the default configuration), the RESTful <a href="https://www.openpolicyagent.org/docs/latest/rest-api/#data-api">Data API</a> provides access for managing Rego policies; and the RESTful <a href="https://www.openpolicyagent.org/docs/latest/rest-api/#query-api">Query API</a> facilitates advanced queries. Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate. As such, OPA servers exposed to a network are <strong>not</strong> considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.</p> <p>This issue affects all versions of OPA prior to 1.4.0.</p> <p>See the <a href="https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7">Security Advisory</a> for more details.</p> <p>Reported by <a href="https://github.com/GamrayW"><code>@GamrayW</code></a>, <a href="https://github.com/HyouKash"><code>@HyouKash</code></a>, <a href="https://github.com/AdrienIT"><code>@AdrienIT</code></a>, authored by <a href="https://github.com/johanfylling"><code>@johanfylling</code></a></p> <h3>Runtime, Tooling, SDK</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md">github.com/open-policy-agent/opa's changelog</a>.</em></p> <blockquote> <h2>1.4.2</h2> <p>This is a bug fix release addressing the missing <code>capabilities/v1.4.1.json</code> in the v1.4.1 release.</p> <h2>1.4.1</h2> <p>This is a security fix release for the fixes published in Go <a href="https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI">1.24.1</a> and <a href="https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk">1.24.2</a></p> <ul> <li>build: bump go to 1.24.2 (<a href="https://redirect.github.com/open-policy-agent/opa/issues/7544">#7544</a>) (authored by <a href="https://github.com/sspaink"><code>@sspaink</code></a>) Addressing <code>CVE-2025-22870</code> and <code>CVE-2025-22871</code> vulnerabilities in the Go runtime.</li> </ul> <h2>1.4.0</h2> <p>This release contains a security fix addressing CVE-2025-46569. It also includes a mix of new features, bugfixes, and dependency updates.</p> <h4>Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (<a href="https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7">GHSA-6m8w-jc87-6cr7</a>)</h4> <p>A vulnerability in the OPA server's <a href="https://www.openpolicyagent.org/docs/latest/rest-api/#data-api">Data API</a> allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.<br /> The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.</p> <p><strong>Users are only impacted if all of the following apply:</strong></p> <ul> <li>OPA is deployed as a standalone server (rather than being used as a Go library)</li> <li>The OPA server is exposed outside of the local host in an untrusted environment.</li> <li>The configured <a href="https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization">authorization policy</a> does not do exact matching of the input.path attribute when deciding if the request should be allowed.</li> </ul> <p><strong>or, if all of the following apply:</strong></p> <ul> <li>OPA is deployed as a standalone server.</li> <li>The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.</li> </ul> <p>Note: With <strong>no</strong> <a href="https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization">Authorization Policy</a> configured for restricting API access (the default configuration), the RESTful <a href="https://www.openpolicyagent.org/docs/latest/rest-api/#data-api">Data API</a> provides access for managing Rego policies; and the RESTful <a href="https://www.openpolicyagent.org/docs/latest/rest-api/#query-api">Query API</a> facilitates advanced queries. Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate. As such, OPA servers exposed to a network are <strong>not</strong> considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.</p> <p>This issue affects all versions of OPA prior to 1.4.0.</p> <p>See the <a href="https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7">Security Advisory</a> for more details.</p> <p>Reported by <a href="https://github.com/GamrayW"><code>@GamrayW</code></a>, <a href="https://github.com/HyouKash"><code>@HyouKash</code></a>, <a href="https://github.com/AdrienIT"><code>@AdrienIT</code></a>, authored by <a href="https://github.com/johanfylling"><code>@johanfylling</code></a></p> <h3>Runtime, Tooling, SDK</h3> <ul> <li>ast: Adding <code>rego_v1</code> feature to <code>--v0-compatible</code> capabilities (<a href="https://redirect.github.com/open-policy-agent/opa/pull/7474">#7474</a>) authored by <a href="https://github.com/johanfylling"><code>@johanfylling</code></a></li> <li>executable: Add version and icon to OPA windows executable (<a href="https://redirect.github.com/open-policy-agent/opa/issues/3171">#3171</a>) authored by <a href="https://github.com/sspaink"><code>@sspaink</code></a> reported by <a href="https://github.com/christophwille"><code>@christophwille</code></a></li> <li>format: Don't panic on format due to unexpected comments (<a href="https://redirect.github.com/open-policy-agent/opa/issues/6330">#6330</a>) authored by <a href="https://github.com/sspaink"><code>@sspaink</code></a> reported by <a href="https://github.com/sirpi"><code>@sirpi</code></a></li> <li>format: Avoid modifying strings when formatting (<a href="https://redirect.github.com/open-policy-agent/opa/issues/6220">#6220</a>) authored by <a href="https://github.com/sspaink"><code>@sspaink</code></a> reported by <a href="https://github.com/zregvart"><code>@zregvart</code></a></li> <li>plugins/status: FIFO buffer channel for status events to prevent slow status API blocking (<a href="https://redirect.github.com/open-policy-agent/opa/pull/7522">#7522</a>) authored by <a href="https://github.com/sspaink"><code>@sspaink</code></a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="5e4582bb95"><code>5e4582b</code></a> Prepare v1.4.2 release (<a href="https://redirect.github.com/open-policy-agent/opa/issues/7547">#7547</a>)</li> <li><a href="3b64aff304"><code>3b64aff</code></a> Patch release v1.4.1 (<a href="https://redirect.github.com/open-policy-agent/opa/issues/7545">#7545</a>)</li> <li><a href="8b0720247e"><code>8b07202</code></a> Prepare v1.4.0 release (<a href="https://redirect.github.com/open-policy-agent/opa/issues/7541">#7541</a>)</li> <li><a href="ad2063247a"><code>ad20632</code></a> Merge commit from fork</li> <li><a href="24ff9cfb3a"><code>24ff9cf</code></a> fix: return the raw strings when formatting (<a href="https://redirect.github.com/open-policy-agent/opa/issues/7525">#7525</a>)</li> <li><a href="254f3bf0b9"><code>254f3bf</code></a> fix(status plugin): make sure the latest status is read before manually trigg...</li> <li><a href="9b5f6010c0"><code>9b5f601</code></a> docs: fix post merge badge (<a href="https://redirect.github.com/open-policy-agent/opa/issues/7532">#7532</a>)</li> <li><a href="e490277477"><code>e490277</code></a> docs: Point path versioned requests to new sites (<a href="https://redirect.github.com/open-policy-agent/opa/issues/7531">#7531</a>)</li> <li><a href="d65888c14f"><code>d65888c</code></a> plugins/status: FIFO buffer channel for status events to prevent slow status ...</li> <li><a href="eb77d10971"><code>eb77d10</code></a> docs: update edge links to use /docs/edge/ path (<a href="https://redirect.github.com/open-policy-agent/opa/issues/7529">#7529</a>)</li> <li>Additional commits viewable in <a href="https://github.com/open-policy-agent/opa/compare/v1.3.0...v1.4.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Coder enables organizations to set up development environments in their public or private cloud infrastructure. Cloud development environments are defined with Terraform, connected through a secure high-speed Wireguard® tunnel, and automatically shut down when not used to save on costs. Coder gives engineering teams the flexibility to use the cloud for workloads most beneficial to them.
- Define cloud development environments in Terraform
- EC2 VMs, Kubernetes Pods, Docker Containers, etc.
- Automatically shutdown idle resources to save on costs
- Onboard developers in seconds instead of days
Quickstart
The most convenient way to try Coder is to install it on your local machine and experiment with provisioning cloud development environments using Docker (works on Linux, macOS, and Windows).
# First, install Coder
curl -L https://coder.com/install.sh | sh
# Start the Coder server (caches data in ~/.cache/coder)
coder server
# Navigate to http://localhost:3000 to create your initial user,
# create a Docker template and provision a workspace
Install
The easiest way to install Coder is to use our
install script for Linux
and macOS. For Windows, use the latest ..._installer.exe file from GitHub
Releases.
curl -L https://coder.com/install.sh | sh
You can run the install script with --dry-run to see the commands that will be used to install without executing them. Run the install script with --help for additional flags.
See install for additional methods.
Once installed, you can start a production deployment with a single command:
# Automatically sets up an external access URL on *.try.coder.app
coder server
# Requires a PostgreSQL instance (version 13 or higher) and external access URL
coder server --postgres-url <url> --access-url <url>
Use coder --help to get a list of flags and environment variables. Use our install guides for a complete walkthrough.
Documentation
Browse our docs here or visit a specific section below:
- Templates: Templates are written in Terraform and describe the infrastructure for workspaces
- Workspaces: Workspaces contain the IDEs, dependencies, and configuration information needed for software development
- IDEs: Connect your existing editor to a workspace
- Administration: Learn how to operate Coder
- Premium: Learn about our paid features built for large teams
Support
Feel free to open an issue if you have questions, run into bugs, or have a feature request.
Join our Discord to provide feedback on in-progress features and chat with the community using Coder!
Integrations
We are always working on new integrations. Please feel free to open an issue and ask for an integration. Contributions are welcome in any official or community repositories.
Official
- VS Code Extension: Open any Coder workspace in VS Code with a single click
- JetBrains Gateway Extension: Open any Coder workspace in JetBrains Gateway with a single click
- Dev Container Builder: Build development environments using
devcontainer.jsonon Docker, Kubernetes, and OpenShift - Module Registry: Extend development environments with common use-cases
- Kubernetes Log Stream: Stream Kubernetes Pod events to the Coder startup logs
- Self-Hosted VS Code Extension Marketplace: A private extension marketplace that works in restricted or airgapped networks integrating with code-server.
- Setup Coder: An action to setup coder CLI in GitHub workflows.
Community
- Provision Coder with Terraform: Provision Coder on Google GKE, Azure AKS, AWS EKS, DigitalOcean DOKS, IBMCloud K8s, OVHCloud K8s, and Scaleway K8s Kapsule with Terraform
- Coder Template GitHub Action: A GitHub Action that updates Coder templates
Contributing
We are always happy to see new contributors to Coder. If you are new to the Coder codebase, we have a guide on how to get started. We'd love to see your contributions!
Hiring
Apply here if you're interested in joining our team.