Dec 02, 2022
By Carlos (@nzlosh) with assistance from Ankur Singh (@rush-skills)
StackStorm v3.8.0 has been released. It comes with two critical security patches, new core features and enhancements, web ui updates, and lots of bug fixes.
Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users.
This major issue was reported by the independent security researcher Mohamed Elgllad and fixed in v3.8.0. We’d like to thank Mohamed for his open source security contribution!
We highly recommend our users update their StackStorm systems.
Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information. This is now fixed, so please update to v3.8.0 if you started using RBAC for K/V in v3.7.0.
The issue was reported by Guilherme
Murad Pim, one of the StackStorm community members and
we appreciate the time and effort finding and reporting issues like that.
Guilherme is also working on contributing the SSO/SAML support in the next StackStorm version, - more on that below.
StackStorm’s Workflow engine can now handle shutdown events more gracefully thanks to the contribution by @khushboobhatia01 from VMware.
Two new configurations has been added to
st2.conf in the
section to have more granular control:
exit_still_active_check = 300
still_active_check_interval = 2
New Auto-Save Workflow, Hotkey Shortcuts, Support for the Rule Search Criteria and Security fix for XSS were contributed by @Bitovi, a StackStorm partner. Check out a dedicated overview with screenshots and videos: Web UI Updates in v3.8.0.
Outside of that, new enhancement that temporarily disable web buttons in forms after onClick to avoid accidental double-clicks was added by Parth Shandilya from @CERN in stackstorm/st2web#977 to make the Web UI experience even better!
Amanda McGuinness from @intive, a StackStorm partner, expanded the garbage collector to clean up more resources. The GC will now purge expired old tokens, which were previously excluded from the purge process and could end up consuming a large amount of space over time.
You can control the new behavior via
# Tokens that expired over this value (days) will be automatically deleted.
# Defaults to None (disabled).
tokens_ttl = None
See the garbagecollector purge documentation for more details.
[system].validate_output_schema = True(disabled by default) in st2.conf AND you have added
output_schemato any of your packs, then you must update your action metadata. Any legacy schemas, like all invalid schemas, will be used for validation; they will be silently ignored. However, for security, secret masking based on the legacy schema is still supported.
Secret masking is one of the primary purposes of output validation. But, the legacy schema
format assumed that it was describing the properties of an object; that meant that only
object properties could be masked, not the entire output. With v3.8.0,
much more versatile, removing this restriction on what can be masked.
output_schema must be a full jsonschema. With this change the entire
output can be masked as
output_schema can describe all basic
types: object, list, bool, int, etc. Feel free to validate and/or mask the entire action
output, or particular elements of lists, or properties of objects.
To migrate an action's legacy output_schema to be a full jsonschema, you'll need to add a
additionalProperties to it. See
v3.8.0 migration notes
for detailed instructions how to update.
Contributed by Jacob Floyd (@cognifloyd) @Copart IT.
And more than 30 other bug fixes and enhancements. Read the full v3.8.0 changelog here.
There’s a massive amount of work ongoing by community to add
to StackStorm across the platform components: stackstorm/st2#5664,
We’re looking for more testing and review from our community to get that major feature included in the next v3.9.0. If you’re interested, - please take a look at the PRs above, try it, and provide feedback. The work in progress documentation for the new feature is available at stackstorm/st2docs#1146 and there’s even a docker environment to test it.
We are also working on improving the developer experience and our build/test/release process with Pants, thanks to Jacob Floyd (@cognifloyd). Some Pants features we are most looking forward to include: requirements lockfiles; reliable fine grained caching of results from test, lint, format and other processes; and amazing error messages that guide contributors (both new and old) about how to resolve various dev issues. We hope this will lower the barrier to entry for new contributors, and streamline the StackStorm packaging release process.
StackStorm releases are not possible without the Community of contributors and supporters, as well as release team who dedicated a lot of time to get the v3.8.0 out with assistance of TSC maintainers. We want to thank everyone: security researchers who reported issues, StackStorm partners who patched them, release managers who did the heavy-lifting with release automation, contributors for their PRs, as well as our adopters for reporting bugs, asking questions and being an active part of StackStorm open-source Community.
The v3.8.0 release was brought by the release managers
Carlos with assistance of
Ankur Singh @CERN.
Special thanks: @m4dcoder, Amanda McGuinness from @intive partner, Jacob Floyd, @dylan-bitovi with @Jappzy, with @WestonVincze, with @cded and Eugen from @Bitovi partner, @bharath-orchestral from @Orchestral partner, Bradley Bishop from @Encore partner, Khushboo Bhatia @VMware, @ParthS007 @CERN, Mark Mercado @DigitalOcean, @LiamRiddell, @luislobo, @S-T-A-R-L-O-R-D, @wfgydbu.
As usual, you can join the StackStorm Open Source Community in Slack, subscribe to StackStorm Twitter and LinkedIn to not miss the upcoming project news and updates!