From 7ceeaf02c9b265c89ac4f7b381d2bb8cc6de9936 Mon Sep 17 00:00:00 2001 From: DavidGOrtega Date: Thu, 4 Nov 2021 10:42:47 +0100 Subject: [PATCH 1/7] Restrict runner ENV access --- src/drivers/github.js | 3 ++- src/drivers/gitlab.js | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/drivers/github.js b/src/drivers/github.js index 4d7283800..9ceb22501 100644 --- a/src/drivers/github.js +++ b/src/drivers/github.js @@ -265,7 +265,8 @@ class Github { ); return spawn(resolve(workdir, 'run.sh'), { - shell: true + shell: true, + env: {} }); } catch (err) { throw new Error(`Failed preparing GitHub runner: ${err.message}`); diff --git a/src/drivers/gitlab.js b/src/drivers/gitlab.js index af8fe5741..b52324ae5 100644 --- a/src/drivers/gitlab.js +++ b/src/drivers/gitlab.js @@ -204,7 +204,7 @@ class Gitlab { --docker-runtime "${gpu ? 'nvidia' : ''}" \ ${single ? '--max-builds 1' : ''}`; - return spawn(command, { shell: true }); + return spawn(command, { shell: true, env: {} }); } catch (err) { throw new Error(`Failed preparing Gitlab runner: ${err.message}`); } From 251ce867f60b822b63e19545d4305bf1033c7b97 Mon Sep 17 00:00:00 2001 From: Helio Machado <0x2b3bfa0+git@googlemail.com> Date: Mon, 12 Sep 2022 21:41:25 +0000 Subject: [PATCH 2/7] Retrieve exclusion list from environment variable --- src/cml.js | 8 +++++++- src/drivers/bitbucket_cloud.js | 4 ++-- src/drivers/github.js | 4 ++-- src/drivers/gitlab.js | 5 +++-- 4 files changed, 14 insertions(+), 7 deletions(-) diff --git a/src/cml.js b/src/cml.js index b303942d8..a8a4ac9c3 100755 --- a/src/cml.js +++ b/src/cml.js @@ -408,7 +408,13 @@ class CML { } async startRunner(opts = {}) { - return await this.getDriver().startRunner(opts); + const env = {}; + const sensitive = + ['CML_RUNNER_SENSITIVE_ENV'] + + process.env.CML_RUNNER_SENSITIVE_ENV.split(':'); + for (const variable in process.env) + if (!sensitive.includes(variable)) env[variable] = process.env[variable]; + return await this.getDriver().startRunner({ ...opts, env }); } async registerRunner(opts = {}) { diff --git a/src/drivers/bitbucket_cloud.js b/src/drivers/bitbucket_cloud.js index 0c6a668dd..b626f467b 100644 --- a/src/drivers/bitbucket_cloud.js +++ b/src/drivers/bitbucket_cloud.js @@ -124,7 +124,7 @@ class BitbucketCloud { async startRunner(opts) { const { projectPath } = this; - const { workdir, name, labels } = opts; + const { workdir, name, labels, env } = opts; winston.warn( `Bitbucket runner is working under /tmp folder and not under ${workdir} as expected` @@ -155,7 +155,7 @@ class BitbucketCloud { ${gpu ? '--runtime=nvidia -e NVIDIA_VISIBLE_DEVICES=all' : ''} \ docker-public.packages.atlassian.com/sox/atlassian/bitbucket-pipelines-runner:1`; - return spawn(command, { shell: true }); + return spawn(command, { shell: true, env }); } catch (err) { throw new Error(`Failed preparing runner: ${err.message}`); } diff --git a/src/drivers/github.js b/src/drivers/github.js index e95173dcf..ee6bc6191 100644 --- a/src/drivers/github.js +++ b/src/drivers/github.js @@ -249,7 +249,7 @@ class Github { } async startRunner(opts) { - const { workdir, single, name, labels } = opts; + const { workdir, single, name, labels, env } = opts; try { const runnerCfg = resolve(workdir, '.runner'); @@ -285,7 +285,7 @@ class Github { return spawn(resolve(workdir, 'run.sh'), { shell: true, - env: {} + env }); } catch (err) { throw new Error(`Failed preparing GitHub runner: ${err.message}`); diff --git a/src/drivers/gitlab.js b/src/drivers/gitlab.js index ebb594a20..ed5975958 100644 --- a/src/drivers/gitlab.js +++ b/src/drivers/gitlab.js @@ -176,7 +176,8 @@ class Gitlab { single, labels, name, - dockerVolumes = [] + dockerVolumes = [], + env } = opts; const gpu = await gpuPresent(); @@ -210,7 +211,7 @@ class Gitlab { ${dockerVolumesTpl} \ ${single ? '--max-builds 1' : ''}`; - return spawn(command, { shell: true, env: {} }); + return spawn(command, { shell: true, env }); } catch (err) { if (err.message === 'Forbidden') err.message += From 30acbb8d18e9238aea0f8d55b61dc1591c4bb7c2 Mon Sep 17 00:00:00 2001 From: Helio Machado <0x2b3bfa0+git@googlemail.com> Date: Mon, 10 Oct 2022 06:00:01 +0200 Subject: [PATCH 3/7] Apply suggestions from code review --- src/cml.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cml.js b/src/cml.js index a8a4ac9c3..748c82189 100755 --- a/src/cml.js +++ b/src/cml.js @@ -410,8 +410,8 @@ class CML { async startRunner(opts = {}) { const env = {}; const sensitive = - ['CML_RUNNER_SENSITIVE_ENV'] + - process.env.CML_RUNNER_SENSITIVE_ENV.split(':'); + ['_CML_RUNNER_SENSITIVE_ENV'] + + process.env._CML_RUNNER_SENSITIVE_ENV.split(':'); for (const variable in process.env) if (!sensitive.includes(variable)) env[variable] = process.env[variable]; return await this.getDriver().startRunner({ ...opts, env }); From daa7cde242b5b9458e15f1c4ed9711845ecb9565 Mon Sep 17 00:00:00 2001 From: Helio Machado <0x2b3bfa0+git@googlemail.com> Date: Mon, 10 Oct 2022 06:05:25 +0200 Subject: [PATCH 4/7] =?UTF-8?q?Fix=20=E2=80=9Cthe=20blunder=20of=20the=20c?= =?UTF-8?q?entury=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://www.youtube.com/watch?v=vcFBwt1nu2U --- src/cml.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/cml.js b/src/cml.js index 748c82189..b92b92e29 100755 --- a/src/cml.js +++ b/src/cml.js @@ -409,9 +409,10 @@ class CML { async startRunner(opts = {}) { const env = {}; - const sensitive = - ['_CML_RUNNER_SENSITIVE_ENV'] + - process.env._CML_RUNNER_SENSITIVE_ENV.split(':'); + const sensitive = [ + '_CML_RUNNER_SENSITIVE_ENV', + ...process.env._CML_RUNNER_SENSITIVE_ENV.split(':') + ]; for (const variable in process.env) if (!sensitive.includes(variable)) env[variable] = process.env[variable]; return await this.getDriver().startRunner({ ...opts, env }); From e7e3b52e8629f9fe784c1474c5d88125d8fe624e Mon Sep 17 00:00:00 2001 From: Helio Machado <0x2b3bfa0+git@googlemail.com> Date: Tue, 1 Nov 2022 19:56:21 +0100 Subject: [PATCH 5/7] Add warning for GitHub runners --- src/drivers/github.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/drivers/github.js b/src/drivers/github.js index 2c50ce7f1..d9ec8a247 100644 --- a/src/drivers/github.js +++ b/src/drivers/github.js @@ -251,7 +251,9 @@ class Github { async startRunner(opts) { const { workdir, single, name, labels, env } = opts; - + + this.warn('cloud credentials are no longer available on self-hosted runner steps; please use step.env and secrets instead'); + try { const runnerCfg = resolve(workdir, '.runner'); From 2ec1362cc531376b2b88697c5464670065f7c8cb Mon Sep 17 00:00:00 2001 From: Helio Machado <0x2b3bfa0+git@googlemail.com> Date: Tue, 21 Feb 2023 18:09:24 +0100 Subject: [PATCH 6/7] Update github.js --- src/drivers/github.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/drivers/github.js b/src/drivers/github.js index 7b25e1845..ee0da4e1f 100644 --- a/src/drivers/github.js +++ b/src/drivers/github.js @@ -257,7 +257,9 @@ class Github { async startRunner(opts) { const { workdir, single, name, labels, env } = opts; - this.warn('cloud credentials are no longer available on self-hosted runner steps; please use step.env and secrets instead'); + this.warn( + 'cloud credentials are no longer available on self-hosted runner steps; please use step.env and secrets instead' + ); try { const runnerCfg = resolve(workdir, '.runner'); From 8dd516ea308c33d01f7512c4b2df9988f4befbe9 Mon Sep 17 00:00:00 2001 From: Helio Machado <0x2b3bfa0+git@googlemail.com> Date: Tue, 21 Feb 2023 18:14:41 +0100 Subject: [PATCH 7/7] Update github.js --- src/drivers/github.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/drivers/github.js b/src/drivers/github.js index ee0da4e1f..ad5e88c13 100644 --- a/src/drivers/github.js +++ b/src/drivers/github.js @@ -256,11 +256,11 @@ class Github { async startRunner(opts) { const { workdir, single, name, labels, env } = opts; - + this.warn( 'cloud credentials are no longer available on self-hosted runner steps; please use step.env and secrets instead' ); - + try { const runnerCfg = resolve(workdir, '.runner');