mirrors/woodpecker
1
0
Fork 0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2024-10-18 08:03:48 +00:00
Code Issues Projects Releases Wiki Activity

Add blocklist of environment variables who could alter execution of plugins (#3934)

Browse source
This commit is contained in:
6543 2024-07-18 22:54:29 +02:00 committed by GitHub
parent 764329ed1d
commit 31a45e5633
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 60 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -18,6 +18,7 @@
gnumake gnumake
gnutar gnutar
zip zip
tree
# frontend # frontend
nodejs_20 nodejs_20

7
pipeline/frontend/yaml/compiler/convert.go
View file

@ -131,9 +131,14 @@ func (c *Compiler) createProcess(container *yaml_types.Container, stepType backe
return nil, err return nil, err
} }
toUpperTarget := strings.ToUpper(requested.Target)
if !environmentAllowed(toUpperTarget, stepType) {
continue
}
environment[requested.Target] = secretValue environment[requested.Target] = secretValue
// TODO: deprecated, remove in 3.x // TODO: deprecated, remove in 3.x
environment[strings.ToUpper(requested.Target)] = secretValue environment[toUpperTarget] = secretValue
} }
if utils.MatchImage(container.Image, c.escalated...) && container.IsPlugin() { if utils.MatchImage(container.Image, c.escalated...) && container.IsPlugin() {

53
pipeline/frontend/yaml/compiler/environment.go Normal file
View file

@ -0,0 +1,53 @@
// Copyright 2024 Woodpecker Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package compiler
import backend_types "go.woodpecker-ci.org/woodpecker/v2/pipeline/backend/types"
/* cSpell:disable */
var binaryVars = []string{
"PATH", // Specifies directories to search for executable files
"PATH_SEPARATOR", // Defines the separator used in the PATH variable
"COMMAND_MODE", // (macOS): Can affect how certain commands are interpreted
"DYLD_FALLBACK_FRAMEWORK_PATH", // (macOS): Specifies additional locations to search for frameworks
"DYLD_FALLBACK_LIBRARY_PATH", // (macOS): Specifies additional locations to search for libraries
}
var libraryVars = []string{
"LD_PRELOAD", // Specifies shared libraries to be loaded before all others
"LD_LIBRARY_PATH", // Specifies directories to search for shared libraries before the standard locations
"LD_AUDIT", // Specifies a shared object to be used for auditing
"LD_BIND_NOW", // Forces all relocations to be processed immediately
"LD_PROFILE", // Specifies a shared object to be used for profiling
"LIBPATH", // (AIX): Similar to LD_LIBRARY_PATH on AIX systems
"DYLD_INSERT_LIBRARIES", // (macOS): Similar to LD_PRELOAD on macOS
"DYLD_LIBRARY_PATH", // (macOS): Similar to LD_LIBRARY_PATH on macOS
}
/* cSpell:enable */
func environmentAllowed(envKey string, stepType backend_types.StepType) bool {
switch stepType {
case backend_types.StepTypePlugin,
backend_types.StepTypeClone:
for _, v := range append(binaryVars, libraryVars...) {
if envKey == v {
return false
}
}
}
return true
}