Prepare v2.17.3 (#7333)

JorTurFer · web-flow · commit e615440f24f6 · 2025-12-22T12:40:52.000+01:00
* Merge commit from fork

* fix: projected service accounts are validated to prevent arbitrary path reads

Signed-off-by: Jorge Turrado &lt;jorge_turrado@hotmail.es&gt;

* validate signature

Signed-off-by: Jorge Turrado &lt;jorge_turrado@hotmail.es&gt;

---------

Signed-off-by: Jorge Turrado &lt;jorge_turrado@hotmail.es&gt;

* update changelog

Signed-off-by: Jorge Turrado &lt;jorge.turrado@mail.schwarz&gt;

* Update releases

Signed-off-by: Jorge Turrado &lt;jorge.turrado@mail.schwarz&gt;

---------

Signed-off-by: Jorge Turrado &lt;jorge_turrado@hotmail.es&gt;
Signed-off-by: Jorge Turrado &lt;jorge.turrado@mail.schwarz&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,7 +15,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio
 
 ## History
 
-- [Unreleased](#unreleased)
+- [v2.17.3](#v2173)
 - [v2.17.2](#v2172)
 - [v2.17.1](#v2171)
 - [v2.17.0](#v2170)
@@ -58,39 +58,11 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio
 - [v1.1.0](#v110)
 - [v1.0.0](#v100)
 
-## Unreleased
-
-### New
-
-- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
-
-#### Experimental
-
-- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
-
-### Improvements
-
-- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
+## v2.17.3
 
 ### Fixes
 
-- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
-
-### Deprecations
-
-You can find all deprecations in [this overview](https://github.com/kedacore/keda/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3Abreaking-change) and [join the discussion here](https://github.com/kedacore/keda/discussions/categories/deprecations).
-
-New deprecation(s):
-
-- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
-
-### Breaking Changes
-
-- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
-
-### Other
-
-- TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
+- **General**: Fix CVE-2025-68476 ([#7333](https://github.com/kedacore/keda/pull/7333))
 
 ## v2.17.2
 
diff --git a/pkg/scaling/resolver/hashicorpvault_handler.go b/pkg/scaling/resolver/hashicorpvault_handler.go
@@ -20,7 +20,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/go-logr/logr"
@@ -120,8 +119,7 @@ func (vh *HashicorpVaultHandler) token(client *vaultapi.Client) (string, error)
 			return token, errors.New("k8s SA file not in config")
 		}
 
-		// Get the JWT from POD
-		jwt, err := os.ReadFile(vh.vault.Credential.ServiceAccount)
+		jwt, err := readKubernetesServiceAccountProjectedToken(vh.vault.Credential.ServiceAccount)
 		if err != nil {
 			return token, err
 		}
diff --git a/pkg/scaling/resolver/k8s_validator.go b/pkg/scaling/resolver/k8s_validator.go
@@ -0,0 +1,39 @@
+package resolver
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+var parser = jwt.NewParser()
+
+func readKubernetesServiceAccountProjectedToken(path string) ([]byte, error) {
+	jwt, err := os.ReadFile(path)
+	if err != nil {
+		return []byte{}, err
+	}
+	if err = validateK8sSAToken(jwt); err != nil {
+		return []byte{}, err
+	}
+	return jwt, nil
+}
+
+func validateK8sSAToken(saToken []byte) error {
+	claims := jwt.MapClaims{}
+	_, _, err := parser.ParseUnverified(string(saToken), &claims)
+	if err != nil {
+		return fmt.Errorf("error validating token: %w", err)
+	}
+	sub, err := claims.GetSubject()
+	if err != nil {
+		return fmt.Errorf("error getting token sub: %w", err)
+	}
+	if !strings.HasPrefix(sub, "system:serviceaccount:") {
+		return fmt.Errorf("error validating token: subject isn't a service account")
+	}
+
+	return nil
+}
diff --git a/pkg/scaling/resolver/k8s_validator_test.go b/pkg/scaling/resolver/k8s_validator_test.go
@@ -0,0 +1,176 @@
+/*
+Copyright 2025 The KEDA Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func TestReadKubernetesServiceAccountProjectedToken(t *testing.T) {
+	tests := []struct {
+		name        string
+		setupToken  func() string
+		expectError bool
+		validate    func([]byte) bool
+	}{
+		{
+			name: "valid token",
+			setupToken: func() string {
+				privateKey, _, err := generateTestRSAKeyPair()
+				if err != nil {
+					t.Fatalf("failed to generate RSA keys: %v", err)
+				}
+
+				// Create valid JWT token
+				claims := jwt.MapClaims{
+					"iss": "kubernetes/serviceaccount",
+					"sub": "system:serviceaccount:default:default",
+					"exp": time.Now().Add(time.Hour).Unix(),
+					"iat": time.Now().Unix(),
+				}
+				tokenBytes, err := createJWTToken(privateKey, claims)
+				if err != nil {
+					t.Fatalf("failed to create JWT token: %v", err)
+				}
+				tokenPath := createTempFile(t, tokenBytes)
+
+				return tokenPath
+			},
+			expectError: false,
+			validate: func(token []byte) bool {
+				return len(token) > 0
+			},
+		},
+		{
+			name: "token file does not exist",
+			setupToken: func() string {
+				return "/nonexistent/token/path"
+			},
+			expectError: true,
+		},
+		{
+			name: "arbitrary file content is not a valid token",
+			setupToken: func() string {
+				// Create an arbitrary file with random content that is not a JWT
+				arbitraryContent := []byte("This is just arbitrary file content, not a JWT token at all")
+				tokenPath := createTempFile(t, arbitraryContent)
+
+				return tokenPath
+			},
+			expectError: true,
+		},
+		{
+			name: "not sa token",
+			setupToken: func() string {
+				privateKey, _, err := generateTestRSAKeyPair()
+				if err != nil {
+					t.Fatalf("failed to generate RSA keys: %v", err)
+				}
+
+				// Create valid JWT token but not from k8s
+				claims := jwt.MapClaims{
+					"iss": "random-issuer",
+					"sub": "1234-3212",
+					"exp": time.Now().Add(time.Hour).Unix(),
+					"iat": time.Now().Unix(),
+				}
+				tokenBytes, err := createJWTToken(privateKey, claims)
+				tokenPath := createTempFile(t, tokenBytes)
+
+				return tokenPath
+			},
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tokenPath := tt.setupToken()
+			defer os.Remove(tokenPath)
+
+			result, err := readKubernetesServiceAccountProjectedToken(tokenPath)
+
+			if (err != nil) != tt.expectError {
+				t.Errorf("readKubernetesServiceAccountProjectedToken() error = %v, expectError = %v", err, tt.expectError)
+				return
+			}
+
+			if !tt.expectError && tt.validate != nil {
+				if !tt.validate(result) {
+					t.Errorf("readKubernetesServiceAccountProjectedToken() returned invalid result")
+				}
+			}
+		})
+	}
+}
+
+// Helper function to generate RSA key pair for testing
+func generateTestRSAKeyPair() (*rsa.PrivateKey, *rsa.PublicKey, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+	return privateKey, &privateKey.PublicKey, nil
+}
+
+// Helper function to create a valid JWT token for testing
+func createJWTToken(privateKey *rsa.PrivateKey, claims jwt.MapClaims) ([]byte, error) {
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	tokenString, err := token.SignedString(privateKey)
+	if err != nil {
+		return nil, err
+	}
+	return []byte(tokenString), nil
+}
+
+// Helper function to write RSA public key to PEM format
+func writePublicKeyPEM(publicKey *rsa.PublicKey) ([]byte, error) {
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(publicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	publicKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: publicKeyBytes,
+	})
+
+	return publicKeyPEM, nil
+}
+
+// Helper function to create temporary files for testing
+func createTempFile(t *testing.T, content []byte) string {
+	tmpFile, err := os.CreateTemp("", "k8s_test_*")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer tmpFile.Close()
+
+	if _, err := tmpFile.Write(content); err != nil {
+		t.Fatalf("failed to write to temp file: %v", err)
+	}
+
+	return tmpFile.Name()
+}
