Add blocklist of environment variables who could alter execution of plugins #3934
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6543
pushed a commit
that referenced
this pull request
Jul 18, 2024
## [2.7.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.7.0) - 2024-07-18 ### 🔒 Security - Add blocklist of environment variables who could alter execution of plugins [[#3934](#3934)] - Make sure plugins only mount the workspace base in a predefinde location [[#3933](#3933)] - Disallow to set arbitrary environments for plugins [[#3909](#3909)] - Use proper oauth state [[#3847](#3847)] - Enhance token checking [[#3842](#3842)] - Bump github.com/hashicorp/go-retryablehttp v0.7.5 -> v0.7.7 [[#3834](#3834)] ### ✨ Features - Gracefully shutdown server [[#3896](#3896)] - Gracefully shutdown agent [[#3895](#3895)] - Convert urls in logs to links [[#3904](#3904)] - Allow login using multiple forges [[#3822](#3822)] - Global and organization registries [[#1672](#1672)] - Cli get repo from git remote [[#3830](#3830)] - Add api for forges [[#3733](#3733)] ### 📈 Enhancement - Cli fix pipeline logs [[#3913](#3913)] - Migrate to github.com/urfave/cli/v3 [[#2951](#2951)] - Allow to change the working directory also for plugins and services [[#3914](#3914)] - Remove `unplugin-icons` [[#3809](#3809)] - Release windows binaries as zip file [[#3906](#3906)] - Convert to openapi 3.0 [[#3897](#3897)] - Enhance pipeline list [[#3898](#3898)] - Add user registries UI [[#3888](#3888)] - Sort users by login [[#3891](#3891)] - Exclude dummy backend in production [[#3877](#3877)] - Fix deploy task env [[#3878](#3878)] - Get default branch and show message in pipeline list [[#3867](#3867)] - Add timestamp for last work done by agent [[#3844](#3844)] - Adjust logger types [[#3859](#3859)] - Cleanup state reporting [[#3850](#3850)] - Unify DB tables/columns [[#3806](#3806)] - Let webhook pass on pipeline parsing error [[#3829](#3829)] - Exclude mocks from release build [[#3831](#3831)] - K8s secrets reference from step [[#3655](#3655)] ### 🐛 Bug Fixes - Handle empty repositories in gitea when listing PRs [[#3925](#3925)] - Update alpine package dep for docker images [[#3917](#3917)] - Don't report error if agent was terminated gracefully [[#3894](#3894)] - Let agents continuously report their health [[#3893](#3893)] - Ignore warnings for cli exec [[#3868](#3868)] - Correct favicon states [[#3832](#3832)] - Cleanup of the login flow and tests [[#3810](#3810)] - Fix newlines in logs [[#3808](#3808)] - Fix authentication error handling [[#3807](#3807)] ### 📚 Documentation - Streamline docs for new users [[#3803](#3803)] - Add mastodon verification [[#3843](#3843)] - chore(deps): update docs npm deps non-major [[#3837](#3837)] - fix(deps): update docs npm deps non-major [[#3824](#3824)] - Add openSUSE package [[#3800](#3800)] - chore(deps): update docs npm deps non-major [[#3798](#3798)] - Add "Docker Tags" Plugin [[#3796](#3796)] - chore(deps): update dependency marked to v13 [[#3792](#3792)] - chore: fix some comments [[#3788](#3788)] ### Misc - chore(deps): update web npm deps non-major [[#3930](#3930)] - chore(deps): update dependency vitest to v2 [[#3905](#3905)] - fix(deps): update module github.com/google/go-github/v62 to v63 [[#3910](#3910)] - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v4.1.0 [[#3908](#3908)] - Update plugin-git and add renovate trigger [[#3901](#3901)] - chore(deps): update docker.io/mstruebing/editorconfig-checker docker tag to v3.0.3 [[#3903](#3903)] - fix(deps): update golang-packages [[#3875](#3875)] - chore(deps): lock file maintenance [[#3876](#3876)] - [pre-commit.ci] pre-commit autoupdate [[#3862](#3862)] - Add dummy backend [[#3820](#3820)] - chore(deps): update dependency replace-in-file to v8 [[#3852](#3852)] - Update forgejo sdk [[#3840](#3840)] - chore(deps): lock file maintenance [[#3838](#3838)] - Allow to set dist dir using env var [[#3814](#3814)] - chore(deps): lock file maintenance [[#3805](#3805)] - chore(deps): update docker.io/lycheeverse/lychee docker tag to v0.15.1 [[#3797](#3797)]
6543
added a commit
that referenced
this pull request
Jul 18, 2024
|
The history of this PR is unclear. It was commited 6 hours ago and yet is in a released version of buildbot already. (As of writing this the CI hasn't even finished running). Can someone please clarify what's the purpose of this fix, why is it needed? |
|
@6543 While I can understand the changes, I am pretty confused by the discussion that was done behind closed doors: https://github.com/woodpecker-ci/woodpecker-security is a closed repo. Also, I couldn't find any approvals or reviewers for the PR. |
|
I didn't have time to look it over because I am just leaving the gym, but I did get an explanation from an aquaintance and it makes sense, I'll repost here if they allow. But yeah the way this was merged in is very dubious. |
Sorry but we dont want bad acktors to attack users! So we work serious security fixes in private, when time has passed all the information will be released. For now you can read the patch itselve and guess what to do. |
6543
added a commit
to 6543-forks/woodpecker
that referenced
this pull request
Sep 5, 2024
6543
pushed a commit
to 6543-forks/woodpecker
that referenced
this pull request
Sep 5, 2024
## [2.7.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.7.0) - 2024-07-18 ### 🔒 Security - Add blocklist of environment variables who could alter execution of plugins [[woodpecker-ci#3934](woodpecker-ci#3934)] - Make sure plugins only mount the workspace base in a predefinde location [[woodpecker-ci#3933](woodpecker-ci#3933)] - Disallow to set arbitrary environments for plugins [[woodpecker-ci#3909](woodpecker-ci#3909)] - Use proper oauth state [[woodpecker-ci#3847](woodpecker-ci#3847)] - Enhance token checking [[woodpecker-ci#3842](woodpecker-ci#3842)] - Bump github.com/hashicorp/go-retryablehttp v0.7.5 -> v0.7.7 [[woodpecker-ci#3834](woodpecker-ci#3834)] ### ✨ Features - Gracefully shutdown server [[woodpecker-ci#3896](woodpecker-ci#3896)] - Gracefully shutdown agent [[woodpecker-ci#3895](woodpecker-ci#3895)] - Convert urls in logs to links [[woodpecker-ci#3904](woodpecker-ci#3904)] - Allow login using multiple forges [[woodpecker-ci#3822](woodpecker-ci#3822)] - Global and organization registries [[woodpecker-ci#1672](woodpecker-ci#1672)] - Cli get repo from git remote [[woodpecker-ci#3830](woodpecker-ci#3830)] - Add api for forges [[woodpecker-ci#3733](woodpecker-ci#3733)] ### 📈 Enhancement - Cli fix pipeline logs [[woodpecker-ci#3913](woodpecker-ci#3913)] - Migrate to github.com/urfave/cli/v3 [[woodpecker-ci#2951](woodpecker-ci#2951)] - Allow to change the working directory also for plugins and services [[woodpecker-ci#3914](woodpecker-ci#3914)] - Remove `unplugin-icons` [[woodpecker-ci#3809](woodpecker-ci#3809)] - Release windows binaries as zip file [[woodpecker-ci#3906](woodpecker-ci#3906)] - Convert to openapi 3.0 [[woodpecker-ci#3897](woodpecker-ci#3897)] - Enhance pipeline list [[woodpecker-ci#3898](woodpecker-ci#3898)] - Add user registries UI [[woodpecker-ci#3888](woodpecker-ci#3888)] - Sort users by login [[woodpecker-ci#3891](woodpecker-ci#3891)] - Exclude dummy backend in production [[woodpecker-ci#3877](woodpecker-ci#3877)] - Fix deploy task env [[woodpecker-ci#3878](woodpecker-ci#3878)] - Get default branch and show message in pipeline list [[woodpecker-ci#3867](woodpecker-ci#3867)] - Add timestamp for last work done by agent [[woodpecker-ci#3844](woodpecker-ci#3844)] - Adjust logger types [[woodpecker-ci#3859](woodpecker-ci#3859)] - Cleanup state reporting [[woodpecker-ci#3850](woodpecker-ci#3850)] - Unify DB tables/columns [[woodpecker-ci#3806](woodpecker-ci#3806)] - Let webhook pass on pipeline parsing error [[woodpecker-ci#3829](woodpecker-ci#3829)] - Exclude mocks from release build [[woodpecker-ci#3831](woodpecker-ci#3831)] - K8s secrets reference from step [[woodpecker-ci#3655](woodpecker-ci#3655)] ### 🐛 Bug Fixes - Handle empty repositories in gitea when listing PRs [[woodpecker-ci#3925](woodpecker-ci#3925)] - Update alpine package dep for docker images [[woodpecker-ci#3917](woodpecker-ci#3917)] - Don't report error if agent was terminated gracefully [[woodpecker-ci#3894](woodpecker-ci#3894)] - Let agents continuously report their health [[woodpecker-ci#3893](woodpecker-ci#3893)] - Ignore warnings for cli exec [[woodpecker-ci#3868](woodpecker-ci#3868)] - Correct favicon states [[woodpecker-ci#3832](woodpecker-ci#3832)] - Cleanup of the login flow and tests [[woodpecker-ci#3810](woodpecker-ci#3810)] - Fix newlines in logs [[woodpecker-ci#3808](woodpecker-ci#3808)] - Fix authentication error handling [[woodpecker-ci#3807](woodpecker-ci#3807)] ### 📚 Documentation - Streamline docs for new users [[woodpecker-ci#3803](woodpecker-ci#3803)] - Add mastodon verification [[woodpecker-ci#3843](woodpecker-ci#3843)] - chore(deps): update docs npm deps non-major [[woodpecker-ci#3837](woodpecker-ci#3837)] - fix(deps): update docs npm deps non-major [[woodpecker-ci#3824](woodpecker-ci#3824)] - Add openSUSE package [[woodpecker-ci#3800](woodpecker-ci#3800)] - chore(deps): update docs npm deps non-major [[woodpecker-ci#3798](woodpecker-ci#3798)] - Add "Docker Tags" Plugin [[woodpecker-ci#3796](woodpecker-ci#3796)] - chore(deps): update dependency marked to v13 [[woodpecker-ci#3792](woodpecker-ci#3792)] - chore: fix some comments [[woodpecker-ci#3788](woodpecker-ci#3788)] ### Misc - chore(deps): update web npm deps non-major [[woodpecker-ci#3930](woodpecker-ci#3930)] - chore(deps): update dependency vitest to v2 [[woodpecker-ci#3905](woodpecker-ci#3905)] - fix(deps): update module github.com/google/go-github/v62 to v63 [[woodpecker-ci#3910](woodpecker-ci#3910)] - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v4.1.0 [[woodpecker-ci#3908](woodpecker-ci#3908)] - Update plugin-git and add renovate trigger [[woodpecker-ci#3901](woodpecker-ci#3901)] - chore(deps): update docker.io/mstruebing/editorconfig-checker docker tag to v3.0.3 [[woodpecker-ci#3903](woodpecker-ci#3903)] - fix(deps): update golang-packages [[woodpecker-ci#3875](woodpecker-ci#3875)] - chore(deps): lock file maintenance [[woodpecker-ci#3876](woodpecker-ci#3876)] - [pre-commit.ci] pre-commit autoupdate [[woodpecker-ci#3862](woodpecker-ci#3862)] - Add dummy backend [[woodpecker-ci#3820](woodpecker-ci#3820)] - chore(deps): update dependency replace-in-file to v8 [[woodpecker-ci#3852](woodpecker-ci#3852)] - Update forgejo sdk [[woodpecker-ci#3840](woodpecker-ci#3840)] - chore(deps): lock file maintenance [[woodpecker-ci#3838](woodpecker-ci#3838)] - Allow to set dist dir using env var [[woodpecker-ci#3814](woodpecker-ci#3814)] - chore(deps): lock file maintenance [[woodpecker-ci#3805](woodpecker-ci#3805)] - chore(deps): update docker.io/lycheeverse/lychee docker tag to v0.15.1 [[woodpecker-ci#3797](woodpecker-ci#3797)]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
close #3929
reviewed at https://github.com/woodpecker-ci/woodpecker-security/pull/15