-
-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance token checking #3842
Merged
Merged
Enhance token checking #3842
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Deployment of preview was torn down |
qwerty287
approved these changes
Jun 26, 2024
6543
approved these changes
Jun 26, 2024
3 tasks
0x1def
pushed a commit
to flakybitnet/woodpecker
that referenced
this pull request
Jun 27, 2024
(cherry picked from commit b8b6efb)
6543
pushed a commit
that referenced
this pull request
Jul 18, 2024
## [2.7.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.7.0) - 2024-07-18 ### 🔒 Security - Add blocklist of environment variables who could alter execution of plugins [[#3934](#3934)] - Make sure plugins only mount the workspace base in a predefinde location [[#3933](#3933)] - Disallow to set arbitrary environments for plugins [[#3909](#3909)] - Use proper oauth state [[#3847](#3847)] - Enhance token checking [[#3842](#3842)] - Bump github.com/hashicorp/go-retryablehttp v0.7.5 -> v0.7.7 [[#3834](#3834)] ### ✨ Features - Gracefully shutdown server [[#3896](#3896)] - Gracefully shutdown agent [[#3895](#3895)] - Convert urls in logs to links [[#3904](#3904)] - Allow login using multiple forges [[#3822](#3822)] - Global and organization registries [[#1672](#1672)] - Cli get repo from git remote [[#3830](#3830)] - Add api for forges [[#3733](#3733)] ### 📈 Enhancement - Cli fix pipeline logs [[#3913](#3913)] - Migrate to github.com/urfave/cli/v3 [[#2951](#2951)] - Allow to change the working directory also for plugins and services [[#3914](#3914)] - Remove `unplugin-icons` [[#3809](#3809)] - Release windows binaries as zip file [[#3906](#3906)] - Convert to openapi 3.0 [[#3897](#3897)] - Enhance pipeline list [[#3898](#3898)] - Add user registries UI [[#3888](#3888)] - Sort users by login [[#3891](#3891)] - Exclude dummy backend in production [[#3877](#3877)] - Fix deploy task env [[#3878](#3878)] - Get default branch and show message in pipeline list [[#3867](#3867)] - Add timestamp for last work done by agent [[#3844](#3844)] - Adjust logger types [[#3859](#3859)] - Cleanup state reporting [[#3850](#3850)] - Unify DB tables/columns [[#3806](#3806)] - Let webhook pass on pipeline parsing error [[#3829](#3829)] - Exclude mocks from release build [[#3831](#3831)] - K8s secrets reference from step [[#3655](#3655)] ### 🐛 Bug Fixes - Handle empty repositories in gitea when listing PRs [[#3925](#3925)] - Update alpine package dep for docker images [[#3917](#3917)] - Don't report error if agent was terminated gracefully [[#3894](#3894)] - Let agents continuously report their health [[#3893](#3893)] - Ignore warnings for cli exec [[#3868](#3868)] - Correct favicon states [[#3832](#3832)] - Cleanup of the login flow and tests [[#3810](#3810)] - Fix newlines in logs [[#3808](#3808)] - Fix authentication error handling [[#3807](#3807)] ### 📚 Documentation - Streamline docs for new users [[#3803](#3803)] - Add mastodon verification [[#3843](#3843)] - chore(deps): update docs npm deps non-major [[#3837](#3837)] - fix(deps): update docs npm deps non-major [[#3824](#3824)] - Add openSUSE package [[#3800](#3800)] - chore(deps): update docs npm deps non-major [[#3798](#3798)] - Add "Docker Tags" Plugin [[#3796](#3796)] - chore(deps): update dependency marked to v13 [[#3792](#3792)] - chore: fix some comments [[#3788](#3788)] ### Misc - chore(deps): update web npm deps non-major [[#3930](#3930)] - chore(deps): update dependency vitest to v2 [[#3905](#3905)] - fix(deps): update module github.com/google/go-github/v62 to v63 [[#3910](#3910)] - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v4.1.0 [[#3908](#3908)] - Update plugin-git and add renovate trigger [[#3901](#3901)] - chore(deps): update docker.io/mstruebing/editorconfig-checker docker tag to v3.0.3 [[#3903](#3903)] - fix(deps): update golang-packages [[#3875](#3875)] - chore(deps): lock file maintenance [[#3876](#3876)] - [pre-commit.ci] pre-commit autoupdate [[#3862](#3862)] - Add dummy backend [[#3820](#3820)] - chore(deps): update dependency replace-in-file to v8 [[#3852](#3852)] - Update forgejo sdk [[#3840](#3840)] - chore(deps): lock file maintenance [[#3838](#3838)] - Allow to set dist dir using env var [[#3814](#3814)] - chore(deps): lock file maintenance [[#3805](#3805)] - chore(deps): update docker.io/lycheeverse/lychee docker tag to v0.15.1 [[#3797](#3797)]
6543
pushed a commit
to 6543-forks/woodpecker
that referenced
this pull request
Sep 5, 2024
6543
pushed a commit
to 6543-forks/woodpecker
that referenced
this pull request
Sep 5, 2024
## [2.7.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.7.0) - 2024-07-18 ### 🔒 Security - Add blocklist of environment variables who could alter execution of plugins [[woodpecker-ci#3934](woodpecker-ci#3934)] - Make sure plugins only mount the workspace base in a predefinde location [[woodpecker-ci#3933](woodpecker-ci#3933)] - Disallow to set arbitrary environments for plugins [[woodpecker-ci#3909](woodpecker-ci#3909)] - Use proper oauth state [[woodpecker-ci#3847](woodpecker-ci#3847)] - Enhance token checking [[woodpecker-ci#3842](woodpecker-ci#3842)] - Bump github.com/hashicorp/go-retryablehttp v0.7.5 -> v0.7.7 [[woodpecker-ci#3834](woodpecker-ci#3834)] ### ✨ Features - Gracefully shutdown server [[woodpecker-ci#3896](woodpecker-ci#3896)] - Gracefully shutdown agent [[woodpecker-ci#3895](woodpecker-ci#3895)] - Convert urls in logs to links [[woodpecker-ci#3904](woodpecker-ci#3904)] - Allow login using multiple forges [[woodpecker-ci#3822](woodpecker-ci#3822)] - Global and organization registries [[woodpecker-ci#1672](woodpecker-ci#1672)] - Cli get repo from git remote [[woodpecker-ci#3830](woodpecker-ci#3830)] - Add api for forges [[woodpecker-ci#3733](woodpecker-ci#3733)] ### 📈 Enhancement - Cli fix pipeline logs [[woodpecker-ci#3913](woodpecker-ci#3913)] - Migrate to github.com/urfave/cli/v3 [[woodpecker-ci#2951](woodpecker-ci#2951)] - Allow to change the working directory also for plugins and services [[woodpecker-ci#3914](woodpecker-ci#3914)] - Remove `unplugin-icons` [[woodpecker-ci#3809](woodpecker-ci#3809)] - Release windows binaries as zip file [[woodpecker-ci#3906](woodpecker-ci#3906)] - Convert to openapi 3.0 [[woodpecker-ci#3897](woodpecker-ci#3897)] - Enhance pipeline list [[woodpecker-ci#3898](woodpecker-ci#3898)] - Add user registries UI [[woodpecker-ci#3888](woodpecker-ci#3888)] - Sort users by login [[woodpecker-ci#3891](woodpecker-ci#3891)] - Exclude dummy backend in production [[woodpecker-ci#3877](woodpecker-ci#3877)] - Fix deploy task env [[woodpecker-ci#3878](woodpecker-ci#3878)] - Get default branch and show message in pipeline list [[woodpecker-ci#3867](woodpecker-ci#3867)] - Add timestamp for last work done by agent [[woodpecker-ci#3844](woodpecker-ci#3844)] - Adjust logger types [[woodpecker-ci#3859](woodpecker-ci#3859)] - Cleanup state reporting [[woodpecker-ci#3850](woodpecker-ci#3850)] - Unify DB tables/columns [[woodpecker-ci#3806](woodpecker-ci#3806)] - Let webhook pass on pipeline parsing error [[woodpecker-ci#3829](woodpecker-ci#3829)] - Exclude mocks from release build [[woodpecker-ci#3831](woodpecker-ci#3831)] - K8s secrets reference from step [[woodpecker-ci#3655](woodpecker-ci#3655)] ### 🐛 Bug Fixes - Handle empty repositories in gitea when listing PRs [[woodpecker-ci#3925](woodpecker-ci#3925)] - Update alpine package dep for docker images [[woodpecker-ci#3917](woodpecker-ci#3917)] - Don't report error if agent was terminated gracefully [[woodpecker-ci#3894](woodpecker-ci#3894)] - Let agents continuously report their health [[woodpecker-ci#3893](woodpecker-ci#3893)] - Ignore warnings for cli exec [[woodpecker-ci#3868](woodpecker-ci#3868)] - Correct favicon states [[woodpecker-ci#3832](woodpecker-ci#3832)] - Cleanup of the login flow and tests [[woodpecker-ci#3810](woodpecker-ci#3810)] - Fix newlines in logs [[woodpecker-ci#3808](woodpecker-ci#3808)] - Fix authentication error handling [[woodpecker-ci#3807](woodpecker-ci#3807)] ### 📚 Documentation - Streamline docs for new users [[woodpecker-ci#3803](woodpecker-ci#3803)] - Add mastodon verification [[woodpecker-ci#3843](woodpecker-ci#3843)] - chore(deps): update docs npm deps non-major [[woodpecker-ci#3837](woodpecker-ci#3837)] - fix(deps): update docs npm deps non-major [[woodpecker-ci#3824](woodpecker-ci#3824)] - Add openSUSE package [[woodpecker-ci#3800](woodpecker-ci#3800)] - chore(deps): update docs npm deps non-major [[woodpecker-ci#3798](woodpecker-ci#3798)] - Add "Docker Tags" Plugin [[woodpecker-ci#3796](woodpecker-ci#3796)] - chore(deps): update dependency marked to v13 [[woodpecker-ci#3792](woodpecker-ci#3792)] - chore: fix some comments [[woodpecker-ci#3788](woodpecker-ci#3788)] ### Misc - chore(deps): update web npm deps non-major [[woodpecker-ci#3930](woodpecker-ci#3930)] - chore(deps): update dependency vitest to v2 [[woodpecker-ci#3905](woodpecker-ci#3905)] - fix(deps): update module github.com/google/go-github/v62 to v63 [[woodpecker-ci#3910](woodpecker-ci#3910)] - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v4.1.0 [[woodpecker-ci#3908](woodpecker-ci#3908)] - Update plugin-git and add renovate trigger [[woodpecker-ci#3901](woodpecker-ci#3901)] - chore(deps): update docker.io/mstruebing/editorconfig-checker docker tag to v3.0.3 [[woodpecker-ci#3903](woodpecker-ci#3903)] - fix(deps): update golang-packages [[woodpecker-ci#3875](woodpecker-ci#3875)] - chore(deps): lock file maintenance [[woodpecker-ci#3876](woodpecker-ci#3876)] - [pre-commit.ci] pre-commit autoupdate [[woodpecker-ci#3862](woodpecker-ci#3862)] - Add dummy backend [[woodpecker-ci#3820](woodpecker-ci#3820)] - chore(deps): update dependency replace-in-file to v8 [[woodpecker-ci#3852](woodpecker-ci#3852)] - Update forgejo sdk [[woodpecker-ci#3840](woodpecker-ci#3840)] - chore(deps): lock file maintenance [[woodpecker-ci#3838](woodpecker-ci#3838)] - Allow to set dist dir using env var [[woodpecker-ci#3814](woodpecker-ci#3814)] - chore(deps): lock file maintenance [[woodpecker-ci#3805](woodpecker-ci#3805)] - chore(deps): update docker.io/lycheeverse/lychee docker tag to v0.15.1 [[woodpecker-ci#3797](woodpecker-ci#3797)]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Tokens will now always be checked for their specific types. This wasn't directly a security risk as
text
was previously either a username likeanbraten
and a repo-nameanbraten/test
and as users wont have/
in their name their should be no risks that a user was able to use their token to authenticate a repo-hook. New tokens are usinguser-id
andrepo-id
further minimizing the risk. However it seems to be a good practice to check the actual token type and therefore it is now a required part ofParse
andParseRequest
.Extracted from #3822