mirrors/woodpecker
1
0
Fork 0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2025-02-22 14:16:18 +00:00
Code Issues Projects Releases Wiki Activity

Fix insecure /tmp usage in local backend (#872)

Browse source 
Since /tmp is writable by everybody, a user could precreate
/tmp/woodpecker with 777 permissions, allowing them to modify the
pipeline while it is being run, or preventing the pipeline from running.

And since os.MkdirAll error code wasn't checked, the same attacker
could have precreated the directory where the pipeline is executed to
mess with the run, allowing code execution under the UID of the
agent (who has access to the toke, to communicate with the server, which
mean a attacker could inject a fake agent, steal credentials, etc)
This commit is contained in:
mscherer 2022-04-06 03:33:00 +02:00 committed by GitHub
parent 1fb8003294
commit c3788d943f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
pipeline/backend/local/local.go
View file

@ -4,6 +4,7 @@ import (
"context"
"encoding/base64"
"io"
"io/ioutil"
"os"
"os/exec"
"strings"
@ -13,8 +14,9 @@ import (
)
type local struct {
cmd *exec.Cmd
output io.ReadCloser
cmd *exec.Cmd
output io.ReadCloser
workingdir string
}
// make sure local implements Engine
@ -34,7 +36,9 @@ func (e *local) IsAvailable() bool {
}
func (e *local) Load() error {
return nil
dir, err := ioutil.TempDir("", "woodpecker-local-*")
e.workingdir = dir
return err
}
// Setup the pipeline environment.
@ -60,7 +64,7 @@ func (e *local) Exec(ctx context.Context, proc *types.Step) error {
if proc.Image == defaultCloneImage {
// Default clone step
Command = append(Command, "CI_WORKSPACE=/tmp/woodpecker/"+proc.Environment["CI_REPO"])
Command = append(Command, "CI_WORKSPACE="+e.workingdir+"/"+proc.Environment["CI_REPO"])
Command = append(Command, "plugin-git")
} else {
// Use "image name" as run command
@ -78,12 +82,14 @@ func (e *local) Exec(ctx context.Context, proc *types.Step) error {
// Prepare working directory
if proc.Image == defaultCloneImage {
e.cmd.Dir = "/tmp/woodpecker/" + proc.Environment["CI_REPO_OWNER"]
e.cmd.Dir = e.workingdir + "/" + proc.Environment["CI_REPO_OWNER"]
} else {
e.cmd.Dir = "/tmp/woodpecker/" + proc.Environment["CI_REPO"]
e.cmd.Dir = e.workingdir + "/" + proc.Environment["CI_REPO"]
}
err := os.MkdirAll(e.cmd.Dir, 0o700)
if err != nil {
return err
}
_ = os.MkdirAll(e.cmd.Dir, 0o700)
// Get output and redirect Stderr to Stdout
e.output, _ = e.cmd.StdoutPipe()
e.cmd.Stderr = e.cmd.Stdout