Comments (8)
praveen-livspace
commented on June 3, 2024
1
IMO, we should have a config to enable or disable deployment on PRs. We can keep it disabled by default. However, for private environments the risk is minimal.
from woodpecker.
qwerty287
commented on June 3, 2024
We disabled PR deployments due to security concerns, because it would allow you to access deploy secrets even if you're not a repo admin.
To be honestly, I don't see a good way to prevent this except a new repo config with a warning that this can leak your secrets.
Do you have any idea?
from woodpecker.
anbraten
commented on June 3, 2024
Deploy uses secrets enabled for the deploy event. Clicking the deloy button can be done by every repo member (not by externals), right?
from woodpecker.
qwerty287
commented on June 3, 2024
Clicking the deloy button can be done by every repo member (not by externals), right?
Yes. So you can access any secret if you have push perms but they should only be available with admin perms.
from woodpecker.
anbraten
commented on June 3, 2024
So you can access any secret if you have push perms
I might be wrong, but aren't just secrets with the deploy filter exposed to the compiler?
from woodpecker.
qwerty287
commented on June 3, 2024
I might be wrong, but aren't just secrets with the deploy filter exposed to the compiler?
I'm not sure about this, but how is this important?
The workflow to get a secret that's only intended for deployments would be:
- Open a PR with a malicious woodpecker config (e.g. sending secret value to a remote server)
- Wait until the pipeline finished
- Click the "deploy" button
- The same pipeline will be executed with the
deployevent and thus has access to alldeploysecrets
from woodpecker.
anbraten
commented on June 3, 2024
Click the "deploy" button
As clicking the deploy button can only be done by a repo member.
Isn't it the same risk as this:
- A member pushes to a branch
- Wait until the pipeline finished
- Click the "deploy" button
- ...
from woodpecker.
qwerty287
commented on June 3, 2024
Isn't it the same risk as this:
In general, yes, however, you can easily block that using branch protections. Blocking PRs is much harder and probably nobody will do it as it drastically reduces usability.
Maybe it's the best idea to be able to disable the deploy button completely, but if it's enabled allow all events? And add a warning similar to PR secrets?
from woodpecker.
Related Issues (20)
- Pipeline Templates HOT 1
- ForgeJo icon for "Go to forge page" button
- Show why a step was skipped HOT 4
- Option to disable Pull requests by default
- Feature: run step without network
- Global `environment` option to set env variables across all steps
- Tag ref contains prefix on forgejo v7 HOT 2
- Release event not working as expected HOT 1
- Too high log rate in docker agent when connection error occurs
- Woodpecker-cli exec linter invalid type HOT 2
- woodpecker cli parse matrix fail HOT 2
- External configuration for pipelines is no longer working since 2.4.0 HOT 3
- The value of CI_PIPELINE_PARENT is the ID of the parent pipeline HOT 1
- Nil pointer with invalid id on trigger pipeline api
- Stuck on login screen. HOT 13
- Linter: cSpell add golang dic HOT 4
- Agent failed to retrieve new jobs due to RPC error "keepalive ping failed to receive ACK within timeout" HOT 1
- Woodpecker UI output not updating/out of sync HOT 1
- Docs: create a jsonschema for plugin docs HOT 1
- woodpecker-cli requires dbus-launch? HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from woodpecker.