ArgoCD (add repo) incompatible with Azure WAFv2 (OWASP 3.2) about argo-cd HOT 4 OPEN

@tpcgold This seems to be a configuration problem within your cloud provider resources. If connecting to GitHub, you might need to configure it with https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses.

from argo-cd.

Nope it's not a Github isse.
As the issue describes it's a OWASP compatibility of the ArgoCD frontend -> ArgoCD backend calls.
For now i had to do an exeption in the Firewall checks
(if my office ip + argo cookie is present i do ignore some OWASP rules mentioned above)

from argo-cd.

@tpcgold In your issue description, you mention the following:

Requests from the UI should successfully pass the Firewall without the need to puncture security by loosening a widely used standard policy (OWASP)

Can you find which data/value is invalid in the calls made from the ArgoCD frontend to the ArgoCD backend? The rules as explain in https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32 do not provide much details and I assume your WAF might have more logs on which data is causing the error.

from argo-cd.

You can find all rules in the coreset of OWASP
e.g. some like 931130 are regex based
931130

I don't have the logs ready as the Log Analytics workspace is already deleted.
But the issue was the amount of matches in a short period which shoot the anomaly score above 5
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
and hence trigger the firewall to block the "connect" requests on the "connect repo" page

from argo-cd.