Fix netrc injection -> allow injection into untrusted containers #2585
Conversation
Codecov ReportAttention:
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## main #2585 +/- ##
==========================================
- Coverage 33.96% 33.95% -0.02%
==========================================
Files 203 203
Lines 13016 13016
==========================================
- Hits 4421 4419 -2
- Misses 8243 8245 +2
Partials 352 352
☔ View full report in Codecov by Sentry. |
|
Deployment of preview was torn down |
|
Tested that the fixes work - credentials are now injected as expected. The change in line 256 was the important one. |
|
I am fine with fixing it first. |
|
However AFAIK this is a feature not a fix, right? I think it was on purpose that only the clone image would receive netrc credentials when used in the steps. |
| @@ -253,7 +253,7 @@ func (c *Compiler) Compile(conf *yaml_types.Workflow) (*backend_types.Config, er | |||
| step := c.createProcess(name, container, stepType) | |||
|
|
|||
| // inject netrc if it's a trusted repo or a trusted clone-plugin | |||
| if c.trustedPipeline || (container.IsPlugin() && container.IsTrustedCloneImage()) { | |||
| if !c.netrcOnlyTrusted || c.trustedPipeline || (c.netrcOnlyTrusted && container.IsPlugin() && container.IsTrustedCloneImage()) { | |||
There was a problem hiding this comment.
Thinking about it, it could be best to have following cases:
- if trusted repo (needs admin access)
- if plugin and trusted clone image (clone image should not steal /leak the credentials)
New case:
- if
netrcOnlyTrustedis active only allow plugins as the admin could trust them, so we might need a list ofpassNetrcToImagesinstead
Main scenarios how WP is used (from what I know):
- single admin using it as "hobbist" => could simply use trusted option if wanted
- instance with multiple users (company, multiple friends, community like codeberg) => not everyone was made an admin somehow (probably they do not 100% trust everybody), so to prevent miss-configuration it could be best to still be pretty strict about options like passing netrc
It sounds like nobody really knows 😅 To me, reading the option description, it sounds like this is a "bugfix" as I would have expected that unchecking this option injects netrc into all containers - as the option did not say that it's limited to the clone step. WRT to security: I fully understand the hesitation and why it should not be injected into all containers by default. Yet I wonder if there's really a different in limiting it to the clone step only or not - if there is malicious motivation, the step does not really matter. Or am I overlooking something? If this is the case, then the PR can be merged.
This is my use case (at least in a specific env). Not everybody is admin (as this is not good per se and not everyone knows what's possible etc.). But everybody should have the option to decide for their own repos whether they want to inject netrc - at least that's my view. I see the point when an admin wants to prevent this entirely. So maybe an additional admin option is needed which allows/forbids changing the repo setting in the first place? |
|
Although it was document in a bad way / the option implied sth else, no one was currently able to use it in steps therefore we should carefully thing how we provide this power to users as it would be breaking if we remove it later on again. Regarding the security aspect I currently think it would be best to replace the current option with a comma separated list of images. As netrc credentials are somehow a secret as well this would match the logic we use for the secret image list. The credentials should therefore only be passed to plugin of that list. If empty they should not be passed to anything else then the official plugin. It would probably the best if we make this a breaking change with 2.0 now and require the user to add custom clone images to the list as well. |
|
I am not sure because AFAICS #2601 only tackles the plugin case but doesn't allow arbitrary images to use the netrc creds (which should also be an option for repo admins IMO). Besides the one to give netrc to plugins. But I didn't had time to dive deep into this topic in the last days. I don't think we can finish this for 2.0, so let's at least move it out of this milestone. |
|
@woodpecker-ci/maintainers Can we fix conflicts and merge this fix as is? Right now, the option If we decided to drop this feature completely, fine for me, but right now the checkbox exist in the latest version of wp and as long as it exists it should at least work. I cannot believe that we have not fixed this issue since more than a year just because we might or might not want to drop it (which also doesn't happen till now). |
6543
added
enhancement
|
@6543 this is definitely not an enhancement. This checkbox exists today, and unchecking the checkbox has no effect. That's what I would call a bug. |
|
Did not test that, but from looking at the code, this should work as intended. However, we probably talk about different things here: I think the intended way of the feature is to never inject the creds into normal containers, only in clone containers. Tbh I'm not a big fan of allowing this, I think you should not use these creds in your own steps, only for cloning. |
|
We agreed with that: the default behavior should be to not share credentials with containers except clone. The fact there is a dedicated option is to let the user choose if it requires a less secure alternative in all conscience. Although I migrated to WP a long time ago, I'm still required to run Drone for repositories making This doesn't involve to stop thinking to a more secure way to do that, but ATM there is only this option ... that doesn't work. |
|
While I understand all discussion around this feature in general, as @xoxys said: the checkbox exists currently and is broken. This PR only fixes that. Everything else (whether to restrict the option to admins-only or other ideas) should be done in a separate discussion and PR then IMO. I am gonna resolve conflicts and then leave it to somebody else to possibly approve or deny this. |
|
@pat-s It actually works fine (just checked the code and function again). You can use a custom clone plugin and set this option to still allow the netrc injection. It was not intended to be used for normal steps as this PR is doing it. Therefore this PR is rather a new feature and should probably start migrating to sth like #2601. We could also change the description of the current option to sth like |
|
I understand (now) better. Yes, I think updating the wording here is very important to avoid these misconceptions. I think also the description should be much more verbose here to explain the setting. Currently it is just repeating the title of the setting, which doesn't help at all. |
|
Closing as due to the latest comment by @anbraten. |
|
Well if that is really the intended way then the description is completely misleading. So what was the intention to write such a description then back in the days where this setting was introduced? |
fix #2583
And improve settings documentation.