Add blocklist of environment variables who could alter execution of plugins (#3934)

2024-11-25 03:11:01 +00:00 · 2024-07-18 22:54:29 +02:00 · 2024-07-18 22:54:29 +02:00 · 31a45e5633
commit 31a45e5633
parent 764329ed1d
3 changed files with 60 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@ -18,6 +18,7 @@
            gnumake
            gnutar
            zip
+            tree

            # frontend
            nodejs_20
--- a/pipeline/frontend/yaml/compiler/convert.go
+++ b/pipeline/frontend/yaml/compiler/convert.go
@ -131,9 +131,14 @@ func (c *Compiler) createProcess(container *yaml_types.Container, stepType backe
 			return nil, err
 		}

+		toUpperTarget := strings.ToUpper(requested.Target)
+		if !environmentAllowed(toUpperTarget, stepType) {
+			continue
+		}
+
 		environment[requested.Target] = secretValue
 		// TODO: deprecated, remove in 3.x
-		environment[strings.ToUpper(requested.Target)] = secretValue
+		environment[toUpperTarget] = secretValue
 	}

 	if utils.MatchImage(container.Image, c.escalated...) && container.IsPlugin() {
--- a/pipeline/frontend/yaml/compiler/environment.go
+++ b/pipeline/frontend/yaml/compiler/environment.go
@ -0,0 +1,53 @@
+// Copyright 2024 Woodpecker Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package compiler
+
+import backend_types "go.woodpecker-ci.org/woodpecker/v2/pipeline/backend/types"
+
+/* cSpell:disable */
+
+var binaryVars = []string{
+	"PATH",                         // Specifies directories to search for executable files
+	"PATH_SEPARATOR",               // Defines the separator used in the PATH variable
+	"COMMAND_MODE",                 // (macOS): Can affect how certain commands are interpreted
+	"DYLD_FALLBACK_FRAMEWORK_PATH", // (macOS): Specifies additional locations to search for frameworks
+	"DYLD_FALLBACK_LIBRARY_PATH",   // (macOS): Specifies additional locations to search for libraries
+}
+
+var libraryVars = []string{
+	"LD_PRELOAD",            // Specifies shared libraries to be loaded before all others
+	"LD_LIBRARY_PATH",       // Specifies directories to search for shared libraries before the standard locations
+	"LD_AUDIT",              // Specifies a shared object to be used for auditing
+	"LD_BIND_NOW",           // Forces all relocations to be processed immediately
+	"LD_PROFILE",            // Specifies a shared object to be used for profiling
+	"LIBPATH",               // (AIX): Similar to LD_LIBRARY_PATH on AIX systems
+	"DYLD_INSERT_LIBRARIES", // (macOS): Similar to LD_PRELOAD on macOS
+	"DYLD_LIBRARY_PATH",     // (macOS): Similar to LD_LIBRARY_PATH on macOS
+}
+
+/* cSpell:enable */
+
+func environmentAllowed(envKey string, stepType backend_types.StepType) bool {
+	switch stepType {
+	case backend_types.StepTypePlugin,
+		backend_types.StepTypeClone:
+		for _, v := range append(binaryVars, libraryVars...) {
+			if envKey == v {
+				return false
+			}
+		}
+	}
+	return true
+}