enforce plugin whitelist

.dockerignore

@@ -6,6 +6,7 @@ doc/
 .dockerignore
 .drone.yml
 .gitignore
+drone.sqlite
 Dockerfile
 LICENSE
 README.md

cmd/drone-build/run.go

@@ -29,9 +29,9 @@ type Context struct {
 func setup(c *Context) error {
 	var err error
 	var opts = parser.Opts{
-		Network:    true,
+		Network:    false,
-		Privileged: true,
+		Privileged: false,
-		Volumes:    true,
+		Volumes:    false,
 		Whitelist:  c.Plugins,
 	}
 

pkg/server/commits.go

@@ -114,6 +114,8 @@ func RunBuild(c *gin.Context) {
 	store := ToDatastore(c)
 	queue_ := ToQueue(c)
 	repo := ToRepo(c)
+	conf := ToSettings(c)
+
 	num, err := strconv.Atoi(c.Params.ByName("number"))
 	if err != nil {
 		c.Fail(400, err)
@@ -191,6 +193,8 @@ func RunBuild(c *gin.Context) {
 		Keys:    keys,
 		Netrc:   netrc,
 		Yaml:    raw,
+		Plugins: conf.Plugins,
+		Env:     conf.Environment,
 	})
 }
 

pkg/server/hooks.go

@@ -22,6 +22,7 @@ func PostHook(c *gin.Context) {
 	store := ToDatastore(c)
 	queue_ := ToQueue(c)
 	sess := ToSession(c)
+	conf := ToSettings(c)
 
 	hook, err := remote.Hook(c.Request)
 	if err != nil {
@@ -157,5 +158,7 @@ func PostHook(c *gin.Context) {
 		Keys:    keys,
 		Netrc:   netrc,
 		Yaml:    raw,
+		Plugins: conf.Plugins,
+		Env:     conf.Environment,
 	})
 }

pkg/yaml/parse.go

@@ -77,6 +77,10 @@ func ParseSingle(raw string, opts *Opts) (*common.Config, error) {
 	if err != nil {
 		return nil, err
 	}
+	err = LintPlugins(conf, opts)
+	if err != nil {
+		return nil, err
+	}
 	// apply rules / transofms
 	transformSetup(conf)
 	transformClone(conf)