Security concerns
The following discussions from !10 (merged) should be addressed:
-
@alossent started a discussion: (+6 comments) I don't know PHP so can't really review this.
I do notice though that these input variables (
$actionetc.) are not sanitized before using them to build requests to k8s API and ES API, so this app could be vulnerable to SSRF or script injection.Better check each of these variables against a strict regex
-
@alossent started a discussion: (+1 comment) To properly check certificates: for ES install the CERN CA package; for the Openshift API the cert can be found in
/var/run/secrets/kubernetes.io/serviceaccount/ca.crtin every pod