Argo CD's API server does not enforce project sourceNamespaces

Impact

I can convince the UI to let me do things with an invalid Application.

1. Admin gives me p, michael, applications, *, demo/*, allow, where demo can just deploy to the demo namespace
2. Admin gives me AppProject dev which reconciles from ns dev-apps
3. Admin gives me p, michael, applications, sync, dev/*, allow, i.e. no updating via the UI allowed, gitops-only
4. I create an Application called pwn in dev-apps with project dev and sync the app with sources from git
5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe)
6. I use the UI to edit the resource which should only be mutable via gitops

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.7
v2.9.12
v2.8.16

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credits

This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue