Security fixes

GHSA-rj86-hm3r-c275

• Verify SSO state parameter in https://github.com/warp-tech/warpgate/pull/1891

This vulnerability allowed an authorized Warpgate user A to share their SSO return link with another authorized Warpgate user B, potentially misleading B into getting logged in as A and subsequently sharing confidential information through user A's session.

Fixes

• fix #1883 - re-normalize options.auth field for database targets by @Eugeny in https://github.com/warp-tech/warpgate/pull/1892

Full Changelog: https://github.com/warp-tech/warpgate/compare/v0.23.2...v0.23.3

What's Changed

• Verify state parameter by @Eugeny in https://github.com/warp-tech/warpgate/pull/1891
• fix #1883 - re-normalize options.auth field for database targets by @Eugeny in https://github.com/warp-tech/warpgate/pull/1892

Full Changelog: https://github.com/warp-tech/warpgate/compare/v0.23.2...v0.23.3

Fixes

• fix #1854 - PG timestamp types by @Eugeny in https://github.com/warp-tech/warpgate/pull/1877

Full Changelog: https://github.com/warp-tech/warpgate/compare/v0.23.1...v0.23.2

What's Changed

• Bump follow-redirects from 1.15.11 to 1.16.0 in /warpgate-web by @dependabot[bot] in https://github.com/warp-tech/warpgate/pull/1867
• fix #1854 - PG timestamp types by @Eugeny in https://github.com/warp-tech/warpgate/pull/1877
• Bump github/codeql-action from 4.35.1 to 4.35.2 by @dependabot[bot] in https://github.com/warp-tech/warpgate/pull/1870

Full Changelog: https://github.com/warp-tech/warpgate/compare/v0.23.1...v0.23.2

What's Changed

• Bump follow-redirects from 1.15.11 to 1.16.0 in /warpgate-web by @dependabot[bot] in https://github.com/warp-tech/warpgate/pull/1867
• fix #1854 - PG timestamp types by @Eugeny in https://github.com/warp-tech/warpgate/pull/1877
• Bump github/codeql-action from 4.35.1 to 4.35.2 by @dependabot[bot] in https://github.com/warp-tech/warpgate/pull/1870

Full Changelog: https://github.com/warp-tech/warpgate/compare/v0.23.1...v0.23.2

Security fixes

GHSA-f5v4-2wr6-hqmg

This DoS vulnerability allowed an unauthenticated user to trigger an out-of-memory condition on a Warpgate instance if keyboard-interactive authentication is enabled. A malicious authentication packet could trigger a multi-GB memory allocation likely leading to Warpgate to be killed by the OOM killer.

Changes

• #1499 - admin roles in https://github.com/warp-tech/warpgate/pull/1783

  • New "Admin roles" let you grant users granular permisssions to the admin UI, for example to manage targets/users/roles/tickets. These are separate from the existing "Access roles".
  • Migration notes:
    • The admin UI is no longer its own "target" but rather a link on the top of the Warpgate landing page
    • Any user with an admin role assigned to them is now able to access the admin UI - with the corresponding restrictions
    • Existing users that are assigned to the warpgate:admin role will have a warpgate:admin superuser admin role assigned to them, so that there is no change in access after the update.
    • You can delete the old warpgate:admin access role if you have never used it for anything other than admin UI access.

• Added support for disabling the injected menu by @LarsSven in https://github.com/warp-tech/warpgate/pull/1852

  • The new checkbox under Global Parameters lets you disable the injected session menu for HTTP targets. The users can still manually navigate back to /@warpgate to switch targets.

• AWS IAM auth in https://github.com/warp-tech/warpgate/pull/1859

  • Experimental support for AWS IAM role authentication for SSH (EC2), EKS (Kubernetes) and MySQL and Postgres (RDS) targets.

• Automatically generate client certificate when using kubernetes targets by @LarsSven in https://github.com/warp-tech/warpgate/pull/1795

  • The "Access instructions" dialog now offers a quick way to issue a new client certificate for Kubernetes targets as well as an option to store the certificate and the private key in the browser's storage. This allows the Warpgate frontend to generate a fully pre-configured kubeconfig file for the user, including the credentials.

• Rich audit logs in https://github.com/warp-tech/warpgate/pull/1832

  • Audit-relevant events (such as role or credential changes as well as session start/end) are logged into a separate "audit" log stream - the Log page now offers a filter to view only audit logs. The new audit_retention config option controls a separate retention period for these log entries (12 months default).

• feat: add user role assignment expiry and history tracking by @mrmm in https://github.com/warp-tech/warpgate/pull/1816

  • The new "edit" icon next to an active role assignment lets you add an expiry date.

• Add support for allowed_ip_range for users by @LarsSven in https://github.com/warp-tech/warpgate/pull/1846

• fixed #1497 - separate external host settings per protocol in https://github.com/warp-tech/warpgate/pull/1824

• Polish some Kubernetes UI elements by @LarsSven in https://github.com/warp-tech/warpgate/pull/1770

• Extend target search to include descriptions. Closes #1784 by @cvhariharan in https://github.com/warp-tech/warpgate/pull/1791

• feat: Add HTTPRoute template to Helm chart by @solidassassin in https://github.com/warp-tech/warpgate/pull/1756

Fixes

• fixed #1087 - detect port knocking in https://github.com/warp-tech/warpgate/pull/1862
• fix(http): prioritize ?warpgate-target= query param over host-based domain binding by @aav in https://github.com/warp-tech/warpgate/pull/1868
• fixed #1835 - support kubectl logs and portforward in https://github.com/warp-tech/warpgate/pull/1875
• fix(ui): resolve config page layout regression caused by flex on main by @mrmm in https://github.com/warp-tech/warpgate/pull/1851
• streamline x-forwarded header checks in https://github.com/warp-tech/warpgate/pull/1858
• Use constant time comparison for admin tokens by @LarsSven in https://github.com/warp-tech/warpgate/pull/1853
• perf(ui): improve admin log page with virtualization, buffer cap, and calmer polling by @pandeysambhi in https://github.com/warp-tech/warpgate/pull/1838
• Send messages to SSH terminal synchronously by @LarsSven in https://github.com/warp-tech/warpgate/pull/1830
• update Ticket model to use ID relations to user and target in https://github.com/warp-tech/warpgate/pull/1839
• improvements(helm chart): fix setup job command line argument parsing failure due to trailing backslash and other improvements by @SachinMaharana in https://github.com/warp-tech/warpgate/pull/1819
• fixed #1483 - apply SSH timeout settings to the SSH client as well in https://github.com/warp-tech/warpgate/pull/1813
• #1414 - parse warpgate_roles claim from the token itself if present in https://github.com/warp-tech/warpgate/pull/1811
• fixed #1785 - log queries fail on PostgreSQL in https://github.com/warp-tech/warpgate/pull/1807
• Google sso role mapping fix by @SteezyCougar in https://github.com/warp-tech/warpgate/pull/1712
• Warpgate should use subdomain if subdomain binding is enabled by @SteezyCougar in https://github.com/warp-tech/warpgate/pull/1777

Misc

• OIDC integration tests in https://github.com/warp-tech/warpgate/pull/1766
• ci: add Helm chart publish workflow by @SachinMaharana in https://github.com/warp-tech/warpgate/pull/1794
• Dependency bumps & time crate migration in https://github.com/warp-tech/warpgate/pull/1840
• Add database migration compatibility tests for PostgreSQL and MySQL by @Copilot in https://github.com/warp-tech/warpgate/pull/1863

New Contributors

• @cvhariharan made their first contribution in https://github.com/warp-tech/warpgate/pull/1791
• @solidassassin made their first contribution in https://github.com/warp-tech/warpgate/pull/1756
• @SachinMaharana made their first contribution in https://github.com/warp-tech/warpgate/pull/1794
• @pandeysambhi made their first contribution in https://github.com/warp-tech/warpgate/pull/1838
• @aav made their first contribution in https://github.com/warp-tech/warpgate/pull/1868

Full Changelog: https://github.com/warp-tech/warpgate/compare/v0.22.1...v0.23.0