High severityNVD Advisory· Published Mar 18, 2026· Updated Mar 20, 2026
Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace
CVE-2026-32737
Description
Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the inter-ns NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete inter-ns and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by inter-ns- in the target namespace.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A misconfigured NetworkPolicy in Romeo prior to v0.2.1 allows attackers in the hardened namespace to pivot to any pod in other namespaces, enabling lateral movement.
Vulnerability
Overview
In Romeo versions before 0.2.1, a miswritten NetworkPolicy (prefixed by inter-ns-) fails to properly restrict network traffic, allowing a malicious actor inside the 'hardened' namespace to pivot to any Pod outside that namespace [1][4]. This breaks the security-by-default property expected from the deployment, enabling potential lateral movement within the cluster.
Exploitation
Scenario
An attacker who gains initial access to a pod within the protected 'hardened' namespace can leverage this policy loophole to initiate connections to arbitrary pods in other namespaces [1][2]. The attack does not require additional authentication against those targets, as the network policy is the sole barrier being bypassed.
Impact
Successful exploitation permits the attacker to probe and interact with services running in other namespaces, potentially escalating privileges or accessing sensitive data. This vulnerability undermines the isolation guarantees provided by the intended network segmentation [4].
Mitigation
Version 0.2.1 removes the offending inter-ns NetworkPolicy. If upgrading is not immediately possible, administrators should manually delete any NetworkPolicy resource prefixed with inter-ns- in the target namespace [1][4].
References
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ctfer-io/romeo/environment/deployGo | < 0.2.1 | 0.2.1 |
Affected products
1- ctfer-io/romeov5Range: < 0.2.1
Patches
13bb5e9d9ce11fix: remove invalid network policy (#670)
10 files changed · +151 −104
environment/deploy/integration/coverout_test.go+10 −3 modified@@ -31,11 +31,18 @@ func Test_I_Coverout(t *testing.T) { Secrets: map[string]string{ "kubeconfig": os.Getenv("KUBECONFIG"), }, + Env: []string{ + "CTFERIO_CHALL_MANAGER_INTEGRATION_TEST=true", + }, ExtraRuntimeValidation: func(t *testing.T, stack integration.RuntimeValidationStackInfo) { // Issue API call - server := fmt.Sprintf("%s:%0.f", os.Getenv("SERVER"), stack.Outputs["port"]) - req, _ := http.NewRequest(http.MethodGet, fmt.Sprintf("http://%s/api/v1/coverout", server), nil) - res, err := http.DefaultClient.Do(req) + server := fmt.Sprintf("%s:%0.f", Server, stack.Outputs["port"]) + req, _ := http.NewRequest( //nolint:gosec //#gosec G704 -- FP, we are in integration test + http.MethodGet, + fmt.Sprintf("http://%s/api/v1/coverout", server), + nil, + ) + res, err := http.DefaultClient.Do(req) //nolint:gosec //#gosec G704 -- FP, we are in integration test require.NoError(t, err) defer func() { _ = res.Body.Close()
environment/deploy/integration/main_test.go+56 −5 modified@@ -3,20 +3,71 @@ package integration import ( "fmt" "os" + "os/exec" + "path/filepath" "testing" + + "github.com/pkg/errors" + "github.com/pulumi/pulumi/sdk/v3/go/common/workspace" + "gopkg.in/yaml.v3" ) var ( - Server string + Server = os.Getenv("SERVER") ) func TestMain(m *testing.M) { - server, ok := os.LookupEnv("SERVER") - if !ok { + if err := testmain(m); err != nil { + fmt.Printf("FAILED: %s", err) + os.Exit(1) + } +} + +func testmain(m *testing.M) error { + if Server == "" { //nolint:lll // the error message is not maintained fmt.Println("Environment variable SERVER is not set, please indicate the domain name/IP address to reach out the cluster.") } - Server = server - os.Exit(m.Run()) + // Compile the stack + pwd, err := os.Getwd() + if err != nil { + return errors.Wrap(err, "get working directory") + } + pdir := filepath.Join(pwd, "..") + cmd := exec.Command("go", "build", "-cover", "-o", "main", "main.go") + cmd.Dir = pdir + out, err := cmd.CombinedOutput() + if err != nil { + return errors.Wrapf(err, "stack compilation failed with output %s", out) + } + defer func() { + _ = os.Remove(filepath.Join(pdir, "main")) + }() + + // Re-write the Pulumi.yaml file to use the compiled binary + b, err := os.ReadFile(filepath.Join(pdir, "Pulumi.yaml")) + if err != nil { + return errors.Wrap(err, "could not read Pulumi.yaml file") + } + var proj workspace.Project + if err := yaml.Unmarshal(b, &proj); err != nil { + return errors.Wrap(err, "invalid Pulumi.yaml content") + } + proj.Runtime.SetOption("binary", "./main") + altered, err := yaml.Marshal(proj) + if err != nil { + return errors.Wrap(err, "marshalling Pulumi.yaml content") + } + if err := os.WriteFile(filepath.Join(pdir, "Pulumi.yaml"), altered, 0600); err != nil { + return errors.Wrap(err, "writing back Pulumi.yaml") + } + defer func() { + _ = os.WriteFile(filepath.Join(pdir, "Pulumi.yaml"), b, 0600) //nolint:gosec //#gosec G703 -- Don't bother with tests + }() + + if code := m.Run(); code != 0 { + return fmt.Errorf("exit with code %d", code) + } + return nil }
environment/deploy/main.go+48 −1 modified@@ -1,13 +1,21 @@ package main import ( - "github.com/ctfer-io/romeo/environment/deploy/parts" + "os" + + "github.com/pkg/errors" "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes" + metav1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/meta/v1" + netwv1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/networking/v1" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" "github.com/pulumi/pulumi/sdk/v3/go/pulumi/config" + + "github.com/ctfer-io/romeo/environment/deploy/parts" ) func main() { + _, testi := os.LookupEnv("CTFERIO_CHALL_MANAGER_INTEGRATION_TEST") + pulumi.Run(func(ctx *pulumi.Context) error { cfg := loadConfig(ctx) @@ -52,6 +60,45 @@ func main() { return err } + if testi { + if _, err := netwv1.NewNetworkPolicy(ctx, "allow-inside-oci", &netwv1.NetworkPolicyArgs{ + Metadata: metav1.ObjectMetaArgs{ + Namespace: pulumi.String(cfg.Namespace), + Labels: pulumi.StringMap{ + "app.kubernetes.io/component": pulumi.String("chall-manager"), + "app.kubernetes.io/part-of": pulumi.String("chall-manager"), + "ctfer.io/stack-name": pulumi.String(ctx.Stack()), + }, + }, + Spec: netwv1.NetworkPolicySpecArgs{ + PolicyTypes: pulumi.ToStringArray([]string{ + "Egress", + }), + PodSelector: metav1.LabelSelectorArgs{ + MatchLabels: romeo.PodLabels, + }, + Egress: netwv1.NetworkPolicyEgressRuleArray{ + netwv1.NetworkPolicyEgressRuleArgs{ + Ports: netwv1.NetworkPolicyPortArray{ + netwv1.NetworkPolicyPortArgs{ + Port: pulumi.Int(5000), // we serve the OCI on this port + }, + }, + To: netwv1.NetworkPolicyPeerArray{ + netwv1.NetworkPolicyPeerArgs{ + IpBlock: netwv1.IPBlockArgs{ + Cidr: pulumi.String("172.16.0.0/12"), // The CIDR the OCI registry lays into as a mirror + }, + }, + }, + }, + }, + }, + }, opts...); err != nil { + return errors.Wrap(err, "allowing inside OCI traffic") + } + } + // Export Romeo outputs ctx.Export("namespace", romeo.Namespace) ctx.Export("port", romeo.Port)
environment/deploy/parts/hardening.go+0 −38 modified@@ -13,7 +13,6 @@ type ( npol *netwv1.NetworkPolicy dnspol *netwv1.NetworkPolicy - internspol *netwv1.NetworkPolicy internetpol *netwv1.NetworkPolicy } @@ -114,43 +113,6 @@ func (h *Hardening) provision(ctx *pulumi.Context, args *HardeningArgs, opts ... return } - // Whatever happens (IP ranges, DNS entries) deny all traffic to adjacent - // namespaces -> isolation by default/in depth. - h.internspol, err = netwv1.NewNetworkPolicy(ctx, "inter-ns", &netwv1.NetworkPolicyArgs{ - Metadata: metav1.ObjectMetaArgs{ - Namespace: args.Name, - Labels: args.AdditionalLabels, - }, - Spec: netwv1.NetworkPolicySpecArgs{ - PodSelector: metav1.LabelSelectorArgs{}, - PolicyTypes: pulumi.ToStringArray([]string{ - "Egress", - }), - Egress: netwv1.NetworkPolicyEgressRuleArray{ - netwv1.NetworkPolicyEgressRuleArgs{ - To: netwv1.NetworkPolicyPeerArray{ - netwv1.NetworkPolicyPeerArgs{ - NamespaceSelector: metav1.LabelSelectorArgs{ - MatchExpressions: metav1.LabelSelectorRequirementArray{ - metav1.LabelSelectorRequirementArgs{ - Key: pulumi.String("kubernetes.io/metadata.name"), - Operator: pulumi.String("NotIn"), - Values: pulumi.StringArray{ - args.Name, - }, - }, - }, - }, - }, - }, - }, - }, - }, - }, opts...) - if err != nil { - return - } - // For dependencies resolution and the use of external services, grant // access to internet, i.e. all IP ranges except private ones // (https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses).
environment/deploy/parts/romeo.go+4 −0 modified@@ -40,6 +40,8 @@ type ( // The claim name to mount in coverage-monitored Go pods for them to // export their coverage data. ClaimName pulumi.StringOutput + + PodLabels pulumi.StringMapOutput } // RomeoEnvironmentArgs contains all the arguments to deploy a Romeo environment. @@ -455,10 +457,12 @@ func (renv *RomeoEnvironment) outputs(ctx *pulumi.Context, args *RomeoEnvironmen renv.ClaimName = renv.pvc.Metadata.Name().Elem() renv.Port = renv.svc.Spec.Ports().Index(pulumi.Int(0)).NodePort().Elem() + renv.PodLabels = renv.dep.Spec.Template().Metadata().Labels() return ctx.RegisterResourceOutputs(renv, pulumi.Map{ "namespace": renv.Namespace, "claim-name": renv.ClaimName, "port": renv.Port, + "podLabels": renv.PodLabels, }) }
.github/workflows/e2e.yaml+12 −5 modified@@ -81,18 +81,17 @@ jobs: - name: Prepare environment run: | pulumi login --local - kubectl create ns romeo-in-ci - name: Romeo install id: install - uses: ctfer-io/romeo/install@359b39dbd63ed45038293ab6e46a848ec16b62b7 + uses: ./install with: kubeconfig: ~/.kube/config harden: true - name: Romeo environment id: env - uses: ctfer-io/romeo/environment@359b39dbd63ed45038293ab6e46a848ec16b62b7 + uses: ./environment with: registry: localhost:5000 kubeconfig: ${{ steps.install.outputs.kubeconfig }} @@ -104,14 +103,16 @@ jobs: - name: Run Integration Tests run: | - go test -v ./environment/deploy/integration/ -run=^Test_I_ -coverprofile=integration.cov -timeout=10m + mkdir coverdir # Directory in which coverage data are exported + go test -v ./deploy/integration/ -run=^Test_I_ -coverprofile=integration.cov -timeout=10m env: NAMESPACE: ${{ steps.install.outputs.namespace }} TAG: ${{ github.sha }} REGISTRY: localhost:5000 KUBECONFIG: ${{ steps.install.outputs.kubeconfig }} CLAIM_NAME: ${{ steps.env.outputs.claim-name }} SERVER: ${{ steps.server.outputs.server }} + working-directory: environment - name: Download Romeo results id: download @@ -125,8 +126,14 @@ jobs: # It cannot be inferred, leading to this highly precise step. sed -i 's|^/go/src|github.com/ctfer-io/romeo/webserver|' ${{ steps.download.outputs.path }} + ( + cd environment + go tool covdata textfmt -i=coverdir -o=binary.cov + sed -i 's|^/home/runner/work/romeo/romeo|github.com/ctfer-io/romeo|' binary.cov + ) + go install go.shabbyrobe.org/gocovmerge/cmd/gocovmerge@fa4f82cfbf4d57c646c1ed0f35002bf1b89fbf7a - gocovmerge integration.cov ${{ steps.download.outputs.path }} > e2e.cov + gocovmerge ${{ steps.download.outputs.path }} environment/integration.cov environment/binary.cov > e2e.cov - name: Upload e2e tests coverage uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
go.work.sum+9 −1 modified@@ -207,7 +207,6 @@ github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0 github.com/Masterminds/sprig/v3 v3.2.1/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w= github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= -github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo= github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw= @@ -332,6 +331,7 @@ github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiU github.com/go-playground/validator/v10 v10.20.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= github.com/go-sql-driver/mysql v1.8.0/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM= github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY= @@ -430,6 +430,7 @@ github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1: github.com/ianlancetaylor/demangle v0.0.0-20240312041847-bd984b5ce465/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw= github.com/ijc/Gotty v0.0.0-20170406111628-a8b993ba6abd/go.mod h1:3LVOLeyx9XVvwPgrt2be44XgSqndprz1G18rSk8KD84= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/iwahbe/helpmakego v0.4.1/go.mod h1:SNrBTLB/hEwr4EzMfcoMFVBGP9wQfJzSDF6PWZn4qac= github.com/iwdgo/sigintwindows v0.2.2/go.mod h1:70wPb8oz8OnxPvsj2QMUjgIVhb8hMu5TUgX8KfFl7QY= github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= @@ -539,6 +540,7 @@ github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBi github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.5.2/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/yuin/goldmark v1.7.13/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg= github.com/yuin/goldmark-emoji v1.0.1/go.mod h1:2w1E6FEWLcDQkoTE+7HU6QF1F6SLlNGjRIBbIZQFqkQ= github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= github.com/zclconf/go-cty v1.13.0/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= @@ -664,6 +666,7 @@ golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E= +golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -738,7 +741,9 @@ golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= +golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc/go.mod h1:hKdjCMrbv9skySur+Nek8Hd0uJ0GuxJIoIX2payrIdQ= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= @@ -812,6 +817,9 @@ golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= +golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= +golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ= +golang.org/x/tools/godoc v0.1.0-deprecated/go.mod h1:qM63CriJ961IHWmnWa9CjZnBndniPt4a3CK0PVB9bIg= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo= gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0=
install/deploy/parts/hardening.go+0 −38 modified@@ -13,7 +13,6 @@ type ( npol *netwv1.NetworkPolicy dnspol *netwv1.NetworkPolicy - internspol *netwv1.NetworkPolicy internetpol *netwv1.NetworkPolicy } @@ -114,43 +113,6 @@ func (h *Hardening) provision(ctx *pulumi.Context, args *HardeningArgs, opts ... return } - // Whatever happens (IP ranges, DNS entries) deny all traffic to adjacent - // namespaces -> isolation by default/in depth. - h.internspol, err = netwv1.NewNetworkPolicy(ctx, "inter-ns", &netwv1.NetworkPolicyArgs{ - Metadata: metav1.ObjectMetaArgs{ - Namespace: args.Name, - Labels: args.AdditionalLabels, - }, - Spec: netwv1.NetworkPolicySpecArgs{ - PodSelector: metav1.LabelSelectorArgs{}, - PolicyTypes: pulumi.ToStringArray([]string{ - "Egress", - }), - Egress: netwv1.NetworkPolicyEgressRuleArray{ - netwv1.NetworkPolicyEgressRuleArgs{ - To: netwv1.NetworkPolicyPeerArray{ - netwv1.NetworkPolicyPeerArgs{ - NamespaceSelector: metav1.LabelSelectorArgs{ - MatchExpressions: metav1.LabelSelectorRequirementArray{ - metav1.LabelSelectorRequirementArgs{ - Key: pulumi.String("kubernetes.io/metadata.name"), - Operator: pulumi.String("NotIn"), - Values: pulumi.StringArray{ - args.Name, - }, - }, - }, - }, - }, - }, - }, - }, - }, - }, opts...) - if err != nil { - return - } - // For dependencies resolution and the use of external services, grant // access to internet, i.e. all IP ranges except private ones // (https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses).
webserver/actions.go+2 −1 modified@@ -10,7 +10,8 @@ import ( func Output(key, dir string) error { // Open GitHub output file - f, err := os.OpenFile(os.Getenv("GITHUB_OUTPUT"), os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0777) + //nolint:lll // the line is long for gosec FP description + f, err := os.OpenFile(os.Getenv("GITHUB_OUTPUT"), os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600) //nolint:gosec //#gosec G703 -- FP, this is intended if err != nil { return errors.Wrap(err, "opening output file") }
webserver/api/v1/encoding.go+10 −12 modified@@ -5,6 +5,7 @@ import ( "bytes" "encoding/base64" "io" + "io/fs" "os" "path/filepath" "strings" @@ -24,20 +25,19 @@ func Encode(src string) (string, error) { w := zip.NewWriter(buf) // Walk in filesystem to zip files - walker := func(path string, info os.FileInfo, err error) error { + if err := filepath.WalkDir(src, func(path string, d fs.DirEntry, err error) error { if err != nil { return err } - if info.IsDir() { + + if d.IsDir() { return nil } - file, err := os.Open(path) + + file, err := os.Open(path) //nolint:gosec //#gosec G122 -- FP, the path cannot be controlled by an attacker if err != nil { return err } - defer func() { - _ = file.Close() - }() // Remove coverdir from file in zip (avoid nested directories) npath := strings.TrimPrefix(path, src+"/") @@ -46,13 +46,11 @@ func Encode(src string) (string, error) { return err } - if _, err := io.Copy(f, file); err != nil { - return err - } + _, err = io.Copy(f, file) + file.Close() - return nil - } - if err := filepath.Walk(src, walker); err != nil { + return err + }); err != nil { return "", err } w.Close()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-fgm3-q9r5-43v9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32737ghsaADVISORY
- github.com/ctfer-io/romeo/commit/3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78ghsax_refsource_MISCWEB
- github.com/ctfer-io/romeo/security/advisories/GHSA-fgm3-q9r5-43v9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.