Trail of Bits
Audit Open Original ↗

Tekton

Type

Security review

Client

The Linux Foundation

Date

2022-03

Domain

Blockchain

Effort

4 wks

Section

Cloud-Native Reviews

Trail of Bits's security review of The Linux Foundation (Mar 2022) identified 13 issues: 1 high, 2 medium, 4 low, and 6 informational.

Findings · 13

  1. 1 The use of time.After() in select statements can lead to memory leaks Low
  2. 2 Risk of resource exhaustion due to the use of defer inside a loop Informational
  3. 3 Lack of access controls for Tekton Pipelines API Informational
  4. 4 Insucient validation of volumeMounts paths Informational
  5. 5 Missing validation of Origin header in WebSocket upgrade requests High
  6. 6 “Import resources” feature does not validate repository URL scheme Informational
  7. 7 Insucient security hardening of step containers Low
  8. 8 Tekton allows users to create privileged containers Medium
  9. 9 Insucient default network access controls between pods Medium
  10. 10 “Import resources" feature does not validate repository path Informational
  11. 11 Lack of rate-limiting controls Low
  12. 12 Lack of maximum request and response body constraint Informational
  13. 13 Nil dereferences in the trigger interceptor logic Low

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related