Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance token checking #3842

Merged
merged 4 commits into from
Jun 26, 2024
Merged

Conversation

anbraten
Copy link
Member

@anbraten anbraten commented Jun 26, 2024

Tokens will now always be checked for their specific types. This wasn't directly a security risk as text was previously either a username like anbraten and a repo-name anbraten/test and as users wont have / in their name their should be no risks that a user was able to use their token to authenticate a repo-hook. New tokens are using user-id and repo-id further minimizing the risk. However it seems to be a good practice to check the actual token type and therefore it is now a required part of Parse and ParseRequest.

Extracted from #3822

@anbraten anbraten added this to the 2.7.0 milestone Jun 26, 2024
@anbraten anbraten requested a review from a team June 26, 2024 17:58
@woodpecker-bot
Copy link
Collaborator

woodpecker-bot commented Jun 26, 2024

Deployment of preview was torn down

@anbraten anbraten enabled auto-merge (squash) June 26, 2024 19:10
@anbraten anbraten merged commit b8b6efb into woodpecker-ci:main Jun 26, 2024
6 of 7 checks passed
@woodpecker-bot woodpecker-bot mentioned this pull request Jun 26, 2024
1 task
@anbraten anbraten mentioned this pull request Jun 27, 2024
3 tasks
0x1def pushed a commit to flakybitnet/woodpecker that referenced this pull request Jun 27, 2024
6543 pushed a commit that referenced this pull request Jul 18, 2024
## [2.7.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.7.0) - 2024-07-18

### 🔒 Security

- Add blocklist of environment variables who could alter execution of plugins [[#3934](#3934)]
- Make sure plugins only mount the workspace base in a predefinde location [[#3933](#3933)]
- Disallow to set arbitrary environments for plugins [[#3909](#3909)]
- Use proper oauth state [[#3847](#3847)]
- Enhance token checking [[#3842](#3842)]
- Bump github.com/hashicorp/go-retryablehttp v0.7.5 -> v0.7.7 [[#3834](#3834)]

### ✨ Features

- Gracefully shutdown server [[#3896](#3896)]
- Gracefully shutdown agent [[#3895](#3895)]
- Convert urls in logs to links  [[#3904](#3904)]
- Allow login using multiple forges [[#3822](#3822)]
- Global and organization registries [[#1672](#1672)]
- Cli get repo from git remote [[#3830](#3830)]
- Add api for forges [[#3733](#3733)]

### 📈 Enhancement

- Cli fix pipeline logs [[#3913](#3913)]
- Migrate to github.com/urfave/cli/v3 [[#2951](#2951)]
- Allow to change the working directory also for plugins and services [[#3914](#3914)]
- Remove `unplugin-icons` [[#3809](#3809)]
- Release windows binaries as zip file [[#3906](#3906)]
- Convert to openapi 3.0 [[#3897](#3897)]
- Enhance pipeline list [[#3898](#3898)]
- Add user registries UI [[#3888](#3888)]
- Sort users by login [[#3891](#3891)]
- Exclude dummy backend in production [[#3877](#3877)]
- Fix deploy task env [[#3878](#3878)]
- Get default branch and show message in pipeline list [[#3867](#3867)]
- Add timestamp for last work done by agent [[#3844](#3844)]
- Adjust logger types [[#3859](#3859)]
- Cleanup state reporting [[#3850](#3850)]
- Unify DB tables/columns [[#3806](#3806)]
- Let webhook pass on pipeline parsing error [[#3829](#3829)]
- Exclude mocks from release build [[#3831](#3831)]
- K8s secrets reference from step [[#3655](#3655)]

### 🐛 Bug Fixes

- Handle empty repositories in gitea when listing PRs [[#3925](#3925)]
- Update alpine package dep for docker images [[#3917](#3917)]
- Don't report error if agent was terminated gracefully [[#3894](#3894)]
- Let agents continuously report their health [[#3893](#3893)]
- Ignore warnings for cli exec [[#3868](#3868)]
- Correct favicon states [[#3832](#3832)]
- Cleanup of the login flow and tests [[#3810](#3810)]
- Fix newlines in logs [[#3808](#3808)]
- Fix authentication error handling [[#3807](#3807)]

### 📚 Documentation

- Streamline docs for new users [[#3803](#3803)]
- Add mastodon verification [[#3843](#3843)]
- chore(deps): update docs npm deps non-major [[#3837](#3837)]
- fix(deps): update docs npm deps non-major [[#3824](#3824)]
- Add openSUSE package [[#3800](#3800)]
- chore(deps): update docs npm deps non-major [[#3798](#3798)]
- Add "Docker Tags" Plugin [[#3796](#3796)]
- chore(deps): update dependency marked to v13 [[#3792](#3792)]
- chore: fix some comments [[#3788](#3788)]

### Misc

- chore(deps): update web npm deps non-major [[#3930](#3930)]
- chore(deps): update dependency vitest to v2 [[#3905](#3905)]
- fix(deps): update module github.com/google/go-github/v62 to v63 [[#3910](#3910)]
- chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v4.1.0 [[#3908](#3908)]
- Update plugin-git and add renovate trigger [[#3901](#3901)]
- chore(deps): update docker.io/mstruebing/editorconfig-checker docker tag to v3.0.3 [[#3903](#3903)]
- fix(deps): update golang-packages [[#3875](#3875)]
- chore(deps): lock file maintenance [[#3876](#3876)]
- [pre-commit.ci] pre-commit autoupdate [[#3862](#3862)]
- Add dummy backend [[#3820](#3820)]
- chore(deps): update dependency replace-in-file to v8 [[#3852](#3852)]
- Update forgejo sdk [[#3840](#3840)]
- chore(deps): lock file maintenance [[#3838](#3838)]
- Allow to set dist dir using env var [[#3814](#3814)]
- chore(deps): lock file maintenance [[#3805](#3805)]
- chore(deps): update docker.io/lycheeverse/lychee docker tag to v0.15.1 [[#3797](#3797)]
@woodpecker-bot woodpecker-bot mentioned this pull request Jul 19, 2024
1 task
6543 pushed a commit to 6543-forks/woodpecker that referenced this pull request Sep 5, 2024
6543 pushed a commit to 6543-forks/woodpecker that referenced this pull request Sep 5, 2024
## [2.7.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.7.0) - 2024-07-18

### 🔒 Security

- Add blocklist of environment variables who could alter execution of plugins [[woodpecker-ci#3934](woodpecker-ci#3934)]
- Make sure plugins only mount the workspace base in a predefinde location [[woodpecker-ci#3933](woodpecker-ci#3933)]
- Disallow to set arbitrary environments for plugins [[woodpecker-ci#3909](woodpecker-ci#3909)]
- Use proper oauth state [[woodpecker-ci#3847](woodpecker-ci#3847)]
- Enhance token checking [[woodpecker-ci#3842](woodpecker-ci#3842)]
- Bump github.com/hashicorp/go-retryablehttp v0.7.5 -> v0.7.7 [[woodpecker-ci#3834](woodpecker-ci#3834)]

### ✨ Features

- Gracefully shutdown server [[woodpecker-ci#3896](woodpecker-ci#3896)]
- Gracefully shutdown agent [[woodpecker-ci#3895](woodpecker-ci#3895)]
- Convert urls in logs to links  [[woodpecker-ci#3904](woodpecker-ci#3904)]
- Allow login using multiple forges [[woodpecker-ci#3822](woodpecker-ci#3822)]
- Global and organization registries [[woodpecker-ci#1672](woodpecker-ci#1672)]
- Cli get repo from git remote [[woodpecker-ci#3830](woodpecker-ci#3830)]
- Add api for forges [[woodpecker-ci#3733](woodpecker-ci#3733)]

### 📈 Enhancement

- Cli fix pipeline logs [[woodpecker-ci#3913](woodpecker-ci#3913)]
- Migrate to github.com/urfave/cli/v3 [[woodpecker-ci#2951](woodpecker-ci#2951)]
- Allow to change the working directory also for plugins and services [[woodpecker-ci#3914](woodpecker-ci#3914)]
- Remove `unplugin-icons` [[woodpecker-ci#3809](woodpecker-ci#3809)]
- Release windows binaries as zip file [[woodpecker-ci#3906](woodpecker-ci#3906)]
- Convert to openapi 3.0 [[woodpecker-ci#3897](woodpecker-ci#3897)]
- Enhance pipeline list [[woodpecker-ci#3898](woodpecker-ci#3898)]
- Add user registries UI [[woodpecker-ci#3888](woodpecker-ci#3888)]
- Sort users by login [[woodpecker-ci#3891](woodpecker-ci#3891)]
- Exclude dummy backend in production [[woodpecker-ci#3877](woodpecker-ci#3877)]
- Fix deploy task env [[woodpecker-ci#3878](woodpecker-ci#3878)]
- Get default branch and show message in pipeline list [[woodpecker-ci#3867](woodpecker-ci#3867)]
- Add timestamp for last work done by agent [[woodpecker-ci#3844](woodpecker-ci#3844)]
- Adjust logger types [[woodpecker-ci#3859](woodpecker-ci#3859)]
- Cleanup state reporting [[woodpecker-ci#3850](woodpecker-ci#3850)]
- Unify DB tables/columns [[woodpecker-ci#3806](woodpecker-ci#3806)]
- Let webhook pass on pipeline parsing error [[woodpecker-ci#3829](woodpecker-ci#3829)]
- Exclude mocks from release build [[woodpecker-ci#3831](woodpecker-ci#3831)]
- K8s secrets reference from step [[woodpecker-ci#3655](woodpecker-ci#3655)]

### 🐛 Bug Fixes

- Handle empty repositories in gitea when listing PRs [[woodpecker-ci#3925](woodpecker-ci#3925)]
- Update alpine package dep for docker images [[woodpecker-ci#3917](woodpecker-ci#3917)]
- Don't report error if agent was terminated gracefully [[woodpecker-ci#3894](woodpecker-ci#3894)]
- Let agents continuously report their health [[woodpecker-ci#3893](woodpecker-ci#3893)]
- Ignore warnings for cli exec [[woodpecker-ci#3868](woodpecker-ci#3868)]
- Correct favicon states [[woodpecker-ci#3832](woodpecker-ci#3832)]
- Cleanup of the login flow and tests [[woodpecker-ci#3810](woodpecker-ci#3810)]
- Fix newlines in logs [[woodpecker-ci#3808](woodpecker-ci#3808)]
- Fix authentication error handling [[woodpecker-ci#3807](woodpecker-ci#3807)]

### 📚 Documentation

- Streamline docs for new users [[woodpecker-ci#3803](woodpecker-ci#3803)]
- Add mastodon verification [[woodpecker-ci#3843](woodpecker-ci#3843)]
- chore(deps): update docs npm deps non-major [[woodpecker-ci#3837](woodpecker-ci#3837)]
- fix(deps): update docs npm deps non-major [[woodpecker-ci#3824](woodpecker-ci#3824)]
- Add openSUSE package [[woodpecker-ci#3800](woodpecker-ci#3800)]
- chore(deps): update docs npm deps non-major [[woodpecker-ci#3798](woodpecker-ci#3798)]
- Add "Docker Tags" Plugin [[woodpecker-ci#3796](woodpecker-ci#3796)]
- chore(deps): update dependency marked to v13 [[woodpecker-ci#3792](woodpecker-ci#3792)]
- chore: fix some comments [[woodpecker-ci#3788](woodpecker-ci#3788)]

### Misc

- chore(deps): update web npm deps non-major [[woodpecker-ci#3930](woodpecker-ci#3930)]
- chore(deps): update dependency vitest to v2 [[woodpecker-ci#3905](woodpecker-ci#3905)]
- fix(deps): update module github.com/google/go-github/v62 to v63 [[woodpecker-ci#3910](woodpecker-ci#3910)]
- chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v4.1.0 [[woodpecker-ci#3908](woodpecker-ci#3908)]
- Update plugin-git and add renovate trigger [[woodpecker-ci#3901](woodpecker-ci#3901)]
- chore(deps): update docker.io/mstruebing/editorconfig-checker docker tag to v3.0.3 [[woodpecker-ci#3903](woodpecker-ci#3903)]
- fix(deps): update golang-packages [[woodpecker-ci#3875](woodpecker-ci#3875)]
- chore(deps): lock file maintenance [[woodpecker-ci#3876](woodpecker-ci#3876)]
- [pre-commit.ci] pre-commit autoupdate [[woodpecker-ci#3862](woodpecker-ci#3862)]
- Add dummy backend [[woodpecker-ci#3820](woodpecker-ci#3820)]
- chore(deps): update dependency replace-in-file to v8 [[woodpecker-ci#3852](woodpecker-ci#3852)]
- Update forgejo sdk [[woodpecker-ci#3840](woodpecker-ci#3840)]
- chore(deps): lock file maintenance [[woodpecker-ci#3838](woodpecker-ci#3838)]
- Allow to set dist dir using env var [[woodpecker-ci#3814](woodpecker-ci#3814)]
- chore(deps): lock file maintenance [[woodpecker-ci#3805](woodpecker-ci#3805)]
- chore(deps): update docker.io/lycheeverse/lychee docker tag to v0.15.1 [[woodpecker-ci#3797](woodpecker-ci#3797)]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants