validate managed-by-url

aali309 · aali309 · commit a16f85b0fd97 · 2025-09-08T19:00:32.000-04:00
Signed-off-by: Atif Ali &lt;atali@redhat.com&gt;
diff --git a/common/common.go b/common/common.go
@@ -230,8 +230,6 @@ const (
 	// Skip reconcile when the value is "true" or any other string values that can be strconv.ParseBool() to be true.
 	AnnotationKeyAppSkipReconcile = "argocd.argoproj.io/skip-reconcile"
 
-	// AnnotationKeyManagedByURL contains the URL of the Argo CD instance managing the application
-	AnnotationKeyManagedByURL = "argocd.argoproj.io/managed-by-url"
 	// LabelKeyComponentRepoServer is the label key to identify the component as repo-server
 	LabelKeyComponentRepoServer = "app.kubernetes.io/component"
 	// LabelValueComponentRepoServer is the label value for the repo-server component
diff --git a/controller/cache/info.go b/controller/cache/info.go
@@ -494,7 +494,7 @@ func populateHostNodeInfo(un *unstructured.Unstructured, res *ResourceInfo) {
 
 func populateApplicationInfo(un *unstructured.Unstructured, res *ResourceInfo) {
 	// Add managed-by-url annotation to info if present
-	if managedByURL, ok := un.GetAnnotations()[common.AnnotationKeyManagedByURL]; ok {
+	if managedByURL, ok := un.GetAnnotations()[v1alpha1.AnnotationKeyManagedByURL]; ok {
 		res.Info = append(res.Info, v1alpha1.InfoItem{Name: "managed-by-url", Value: managedByURL})
 	}
 }
diff --git a/pkg/apis/application/v1alpha1/application_annotations.go b/pkg/apis/application/v1alpha1/application_annotations.go
@@ -11,4 +11,6 @@ const (
 	// absolute path means an absolute path within the repository and the relative path is relative to the application
 	// source path within the repository.
 	AnnotationKeyManifestGeneratePaths = "argocd.argoproj.io/manifest-generate-paths"
+	// AnnotationKeyManagedByURL contains the URL of the Argo CD instance managing the application
+	AnnotationKeyManagedByURL = "argocd.argoproj.io/managed-by-url"
 )
diff --git a/server/application/application.go b/server/application/application.go
@@ -1357,6 +1357,12 @@ func (s *Server) validateAndNormalizeApp(ctx context.Context, app *v1alpha1.Appl
 		return status.Errorf(codes.InvalidArgument, "application spec for %s is invalid: %s", app.Name, argo.FormatAppConditions(conditions))
 	}
 
+	// Validate managed-by-url annotation
+	managedByURLConditions := argo.ValidateManagedByURL(app)
+	if len(managedByURLConditions) > 0 {
+		return status.Errorf(codes.InvalidArgument, "application spec for %s is invalid: %s", app.Name, argo.FormatAppConditions(managedByURLConditions))
+	}
+
 	app.Spec = *argo.NormalizeApplicationSpec(&app.Spec)
 	return nil
 }
diff --git a/server/cluster/cluster_test.go b/server/cluster/cluster_test.go
@@ -864,7 +864,7 @@ func TestCreateDeepLinksObject_ManagedByURL(t *testing.T) {
 			Object: map[string]any{
 				"metadata": map[string]any{
 					"annotations": map[string]any{
-						common.AnnotationKeyManagedByURL: "https://example.com/argo",
+						appv1.AnnotationKeyManagedByURL: "https://example.com/argo",
 					},
 				},
 			},
diff --git a/server/deeplinks/deeplinks.go b/server/deeplinks/deeplinks.go
@@ -11,7 +11,6 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/utils/ptr"
 
-	"github.com/argoproj/argo-cd/v3/common"
 	"github.com/argoproj/argo-cd/v3/pkg/apiclient/application"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v3/util/settings"
@@ -77,7 +76,7 @@ func CreateDeepLinksObject(resourceObj *unstructured.Unstructured, app *unstruct
 		if app.Object["metadata"] != nil {
 			if metadata, ok := app.Object["metadata"].(map[string]any); ok {
 				if annotations, ok := metadata["annotations"].(map[string]any); ok {
-					if managedByURL, ok := annotations[common.AnnotationKeyManagedByURL].(string); ok {
+					if managedByURL, ok := annotations[v1alpha1.AnnotationKeyManagedByURL].(string); ok {
 						deeplinkObj[ManagedByURLKey] = managedByURL
 					}
 				}
diff --git a/server/deeplinks/deeplinks_test.go b/server/deeplinks/deeplinks_test.go
@@ -14,7 +14,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/utils/ptr"
 
-	"github.com/argoproj/argo-cd/v3/common"
 	"github.com/argoproj/argo-cd/v3/pkg/apiclient/application"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v3/util/settings"
@@ -222,7 +221,7 @@ func TestManagedByURLAnnotation(t *testing.T) {
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "test-app",
 				Annotations: map[string]string{
-					common.AnnotationKeyManagedByURL: managedByURL,
+					v1alpha1.AnnotationKeyManagedByURL: managedByURL,
 				},
 			},
 		}
@@ -265,7 +264,7 @@ func TestManagedByURLAnnotation(t *testing.T) {
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "test-app",
 				Annotations: map[string]string{
-					common.AnnotationKeyManagedByURL: "",
+					v1alpha1.AnnotationKeyManagedByURL: "",
 				},
 			},
 		}
@@ -290,9 +289,9 @@ func TestManagedByURLAnnotation(t *testing.T) {
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "test-app",
 				Annotations: map[string]string{
-					common.AnnotationKeyManagedByURL: managedByURL,
-					"argocd.argoproj.io/deep-link-1": "https://grafana.example.com/d/argo/argo-cd-application-dashboard",
-					"argocd.argoproj.io/deep-link-2": "https://kibana.example.com/app/kibana#/discover",
+					v1alpha1.AnnotationKeyManagedByURL: managedByURL,
+					"argocd.argoproj.io/deep-link-1":   "https://grafana.example.com/d/argo/argo-cd-application-dashboard",
+					"argocd.argoproj.io/deep-link-2":   "https://kibana.example.com/app/kibana#/discover",
 				},
 			},
 		}
diff --git a/test/e2e/managed_by_url_test.go b/test/e2e/managed_by_url_test.go
@@ -9,9 +9,9 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 
-	"github.com/argoproj/argo-cd/v3/common"
 	"github.com/argoproj/argo-cd/v3/pkg/apiclient/application"
 	"github.com/argoproj/argo-cd/v3/pkg/apiclient/settings"
+	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	. "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v3/test/e2e/fixture"
 	. "github.com/argoproj/argo-cd/v3/test/e2e/fixture/app"
@@ -38,7 +38,7 @@ func TestManagedByURLWithAnnotation(t *testing.T) {
 				if appObj.Annotations == nil {
 					appObj.Annotations = make(map[string]string)
 				}
-				appObj.Annotations[common.AnnotationKeyManagedByURL] = managedByURL
+				appObj.Annotations[v1alpha1.AnnotationKeyManagedByURL] = managedByURL
 
 				_, err = fixture.AppClientset.ArgoprojV1alpha1().Applications(fixture.ArgoCDNamespace).Update(t.Context(), appObj, metav1.UpdateOptions{})
 				if err == nil {
@@ -75,7 +75,7 @@ func TestManagedByURLWithAnnotation(t *testing.T) {
 		Then().
 		And(func(app *Application) {
 			// Test that the managed-by-url annotation is preserved
-			assert.Equal(t, managedByURL, app.Annotations[common.AnnotationKeyManagedByURL])
+			assert.Equal(t, managedByURL, app.Annotations[v1alpha1.AnnotationKeyManagedByURL])
 
 			// Test that the application links include the managed-by-url in the deep links
 			conn, appClient, err := fixture.ArgoCDClientset.NewApplicationClient()
diff --git a/ui/src/app/applications/components/utils.tsx b/ui/src/app/applications/components/utils.tsx
@@ -8,6 +8,7 @@ import * as moment from 'moment';
 import {BehaviorSubject, combineLatest, concat, from, fromEvent, Observable, Observer, Subscription} from 'rxjs';
 import {debounceTime, map} from 'rxjs/operators';
 import {AppContext, Context, ContextApis} from '../../shared/context';
+import {isValidURL} from '../../shared/utils';
 import {ResourceTreeNode} from './application-resource-tree/application-resource-tree';
 
 import {CheckboxField, COLORS, ErrorNotification, Revision} from '../../shared/components';
@@ -1790,8 +1791,16 @@ export function getApplicationLinkURL(app: any, baseHref: string, node?: any): {
 
     let url, isExternal;
     if (managedByURL) {
-        url = managedByURL + '/applications/' + app.metadata.namespace + '/' + app.metadata.name;
-        isExternal = true;
+        // Validate the managed-by URL using the same validation as external links
+        if (!isValidURL(managedByURL)) {
+            // If URL is invalid, fall back to local URL for security
+            console.warn(`Invalid managed-by URL for application ${app.metadata.name}: ${managedByURL}`);
+            url = baseHref + 'applications/' + app.metadata.namespace + '/' + app.metadata.name;
+            isExternal = false;
+        } else {
+            url = managedByURL + '/applications/' + app.metadata.namespace + '/' + app.metadata.name;
+            isExternal = true;
+        }
     } else {
         url = baseHref + 'applications/' + app.metadata.namespace + '/' + app.metadata.name;
         isExternal = false;
@@ -1810,8 +1819,16 @@ export function getApplicationLinkURLFromNode(node: any, baseHref: string): {url
 
     let url, isExternal;
     if (managedByURL) {
-        url = managedByURL + '/applications/' + node.namespace + '/' + node.name;
-        isExternal = true;
+        // Validate the managed-by URL using the same validation as external links
+        if (!isValidURL(managedByURL)) {
+            // If URL is invalid, fall back to local URL for security
+            console.warn(`Invalid managed-by URL for application ${node.name}: ${managedByURL}`);
+            url = baseHref + 'applications/' + node.namespace + '/' + node.name;
+            isExternal = false;
+        } else {
+            url = managedByURL + '/applications/' + node.namespace + '/' + node.name;
+            isExternal = true;
+        }
     } else {
         url = baseHref + 'applications/' + node.namespace + '/' + node.name;
         isExternal = false;
diff --git a/util/argo/argo.go b/util/argo/argo.go
@@ -393,6 +393,29 @@ func ValidateRepo(
 	return conditions, nil
 }
 
+// ValidateManagedByURL validates the managed-by-url annotation on applications to ensure it contains a valid URL
+func ValidateManagedByURL(app *argoappv1.Application) []argoappv1.ApplicationCondition {
+	conditions := make([]argoappv1.ApplicationCondition, 0)
+
+	if app.Annotations == nil {
+		return conditions
+	}
+
+	managedByURL, exists := app.Annotations[argoappv1.AnnotationKeyManagedByURL]
+	if !exists || managedByURL == "" {
+		return conditions
+	}
+
+	if err := settings.ValidateExternalURL(managedByURL); err != nil {
+		conditions = append(conditions, argoappv1.ApplicationCondition{
+			Type:    argoappv1.ApplicationConditionInvalidSpecError,
+			Message: fmt.Sprintf("invalid managed-by URL: %v", err),
+		})
+	}
+
+	return conditions
+}
+
 func validateRepo(ctx context.Context,
 	app *argoappv1.Application,
 	db db.ArgoDB,
diff --git a/util/argo/argo_test.go b/util/argo/argo_test.go
@@ -1705,3 +1705,170 @@ func TestGetAppEventLabels(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateManagedByURL(t *testing.T) {
+	tests := []struct {
+		name       string
+		app        *argoappv1.Application
+		wantErr    bool
+		wantErrMsg string
+	}{
+		{
+			name: "Valid HTTPS URL",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "https://argocd.example.com",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Valid HTTP URL",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "http://argocd.example.com",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Valid localhost HTTPS URL",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "https://localhost:8081",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Valid localhost HTTP URL",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "http://localhost:8081",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Valid 127.0.0.1 URL",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "http://127.0.0.1:8081",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "No annotations",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Empty managed-by-url",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Missing managed-by-url annotation",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"other.annotation": "value",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Invalid protocol - javascript",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "javascript:alert('xss')",
+					},
+				},
+			},
+			wantErr:    true,
+			wantErrMsg: "invalid managed-by URL: URL must include http or https protocol",
+		},
+		{
+			name: "Invalid protocol - data",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "data:text/html,<script>alert('xss')</script>",
+					},
+				},
+			},
+			wantErr:    true,
+			wantErrMsg: "invalid managed-by URL: URL must include http or https protocol",
+		},
+		{
+			name: "Invalid protocol - file",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "file:///etc/passwd",
+					},
+				},
+			},
+			wantErr:    true,
+			wantErrMsg: "invalid managed-by URL: URL must include http or https protocol",
+		},
+		{
+			name: "Invalid URL format",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "not-a-url",
+					},
+				},
+			},
+			wantErr:    true,
+			wantErrMsg: "invalid managed-by URL: URL must include http or https protocol",
+		},
+		{
+			name: "URL with path and query",
+			app: &argoappv1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						argoappv1.AnnotationKeyManagedByURL: "https://argocd.example.com/applications?namespace=default",
+					},
+				},
+			},
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			conditions := ValidateManagedByURL(tt.app)
+
+			if tt.wantErr {
+				require.Len(t, conditions, 1, "Expected exactly one validation condition")
+				assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, conditions[0].Type)
+				assert.Contains(t, conditions[0].Message, tt.wantErrMsg)
+			} else {
+				assert.Empty(t, conditions, "Expected no validation conditions for valid URL")
+			}
+		})
+	}
+}
diff --git a/util/settings/settings.go b/util/settings/settings.go
diff --git a/util/settings/settings_test.go b/util/settings/settings_test.go

Original file line number	Diff line number	Diff line change
`@@ -494,7 +494,7 @@ func populateHostNodeInfo(un unstructured.Unstructured, res ResourceInfo) {`
`494`	`494`
`495`	`495`	`func populateApplicationInfo(un unstructured.Unstructured, res ResourceInfo) {`
`496`	`496`	`// Add managed-by-url annotation to info if present`
`497`		`- if managedByURL, ok := un.GetAnnotations()[common.AnnotationKeyManagedByURL]; ok {`
	`497`	`+ if managedByURL, ok := un.GetAnnotations()[v1alpha1.AnnotationKeyManagedByURL]; ok {`
`498`	`498`	`res.Info = append(res.Info, v1alpha1.InfoItem{Name: "managed-by-url", Value: managedByURL})`
`499`	`499`	`}`
`500`	`500`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,4 +11,6 @@ const (`
`11`	`11`	`// absolute path means an absolute path within the repository and the relative path is relative to the application`
`12`	`12`	`// source path within the repository.`
`13`	`13`	`AnnotationKeyManifestGeneratePaths = "argocd.argoproj.io/manifest-generate-paths"`
	`14`	`+ // AnnotationKeyManagedByURL contains the URL of the Argo CD instance managing the application`
	`15`	`+ AnnotationKeyManagedByURL = "argocd.argoproj.io/managed-by-url"`
`14`	`16`	`)`
Original file line number	Diff line number	Diff line change
`@@ -1357,6 +1357,12 @@ func (s Server) validateAndNormalizeApp(ctx context.Context, app v1alpha1.Appl`
`1357`	`1357`	`return status.Errorf(codes.InvalidArgument, "application spec for %s is invalid: %s", app.Name, argo.FormatAppConditions(conditions))`
`1358`	`1358`	`}`
`1359`	`1359`
	`1360`	`+ // Validate managed-by-url annotation`
	`1361`	`+ managedByURLConditions := argo.ValidateManagedByURL(app)`
	`1362`	`+ if len(managedByURLConditions) > 0 {`
	`1363`	`+ return status.Errorf(codes.InvalidArgument, "application spec for %s is invalid: %s", app.Name, argo.FormatAppConditions(managedByURLConditions))`
	`1364`	`+ }`
	`1365`	`+`
`1360`	`1366`	`app.Spec = *argo.NormalizeApplicationSpec(&app.Spec)`
`1361`	`1367`	`return nil`
`1362`	`1368`	`}`