Skip to content

fix(security): deny enableAutoApproval bypass (GHSA-26jv-m5j2-9xpp)#1794

Open
TAJeffcock wants to merge 2 commits into
masterfrom
fix/ghsa-xjj2-gff7-4mgj-provider-consent-gate
Open

fix(security): deny enableAutoApproval bypass (GHSA-26jv-m5j2-9xpp)#1794
TAJeffcock wants to merge 2 commits into
masterfrom
fix/ghsa-xjj2-gff7-4mgj-provider-consent-gate

Conversation

@TAJeffcock

@TAJeffcock TAJeffcock commented Jun 29, 2026

Copy link
Copy Markdown

Summary

  • Fixes a medium (CVSS 6.5) approval gate bypass where any namespace user could set spec.enableAutoApproval: true on a Configuration or CloudResource to skip the platform approval gate and run Terraform apply against production cloud accounts without operator review.

Root cause

  • The validation webhook had no check for spec.enableAutoApproval. Any tenant with create or update on configurations.terraform.appvia.io could set the field to true, causing the reconciler to skip the approval annotation check entirely and dispatch plan and apply jobs immediately.

Fix

  • The validation webhook now rejects spec.enableAutoApproval: true unless the controller --enable-auto-approval flag is explicitly set by the platform operator (default: false). The same check is applied to CloudResource objects, which previously propagated the field unchanged to the generated Configuration.

Impact on existing clusters

  • Breaking change: clusters where tenants legitimately use enableAutoApproval: true must set the controller.enableAutoApproval: true in their Helm values to restore the behaviour.

Testing

  • Unit tests added for both Configuration and CloudResource webhooks asserting the field is denied when the platform flag is off
  • Verified end-to-end on a local kind cluster against v0.5.7: confirmed enableAutoApproval: true is admitted and applies immediately on the unpatched controller, then confirmed the patched controller blocks it at admission

References

@TAJeffcock TAJeffcock requested a review from gambol99 as a code owner June 29, 2026 18:10
@TAJeffcock TAJeffcock self-assigned this Jun 30, 2026
@TAJeffcock TAJeffcock changed the title fix(security): deny Configuration referencing a Provider with no selector fix(security): deny enableAutoApproval bypass (GHSA-26jv-m5j2-9xpp) Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant