Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix netrc injection -> allow injection into untrusted containers #2585

Closed
wants to merge 8 commits into from
Closed

Fix netrc injection -> allow injection into untrusted containers #2585

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
20c69ed
update if condition
pat-s Oct 14, 2023
fddb791
fix settings description
pat-s Oct 14, 2023
d278dfd
fix if condition
pat-s Oct 14, 2023
3372846
update docs
pat-s Oct 14, 2023
5606833
doc
pat-s Oct 14, 2023
82b9b43
remove unnecessary code
pat-s Oct 15, 2023
4407286
chore: merge
pat-s Nov 9, 2024
2612285
Merge branch 'main' into relax-netrc-injection
pat-s Nov 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/docs/20-usage/75-project-settings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ Only server admins can set this option. If you are not a server admin this optio

## Only inject netrc credentials into trusted containers

Cloning pipeline step may need git credentials. They are injected via netrc. By default, they're only injected if this option is enabled, the repo is trusted ([see above](#trusted)) or the image is a trusted clone image. If you uncheck the option, git credentials will be injected into any container in clone step.
Cloning pipeline step may need git credentials. They are injected via netrc. By default, they're only injected if this option is enabled, the repo is trusted ([see above](#trusted)) or the image is a trusted clone image. If you uncheck the option, git credentials will be injected into any container of the pipeline. This can be helpful if you want to execute `git push` commands in a container that is not "trusted" by default.

## Project visibility

Expand Down
2 changes: 1 addition & 1 deletion pipeline/frontend/yaml/compiler/compiler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,7 +253,7 @@ func (c *Compiler) Compile(conf *yaml_types.Workflow) (*backend_types.Config, er
}

// inject netrc if it's a trusted repo or a trusted clone-plugin
if c.securityTrustedPipeline || (container.IsPlugin() && container.IsTrustedCloneImage(c.trustedClonePlugins)) {
if !c.netrcOnlyTrusted || c.securityTrustedPipeline || (c.netrcOnlyTrusted && container.IsPlugin() && container.IsTrustedCloneImage(c.trustedClonePlugins)) {
for k, v := range c.cloneEnv {
step.Environment[k] = v
}
Expand Down
5 changes: 3 additions & 2 deletions web/src/assets/locales/en.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,11 +93,12 @@
"desc": "Every pipeline needs to be approved before being executed."
},
"netrc_only_trusted": {
"netrc_only_trusted": "Only inject netrc credentials into trusted containers",
"desc": "Only inject netrc credentials into trusted containers (recommended)."
"netrc_only_trusted": "Only inject netrc credentials (= git credentials) into trusted containers.",
"desc": "Disabling this option allows the usage of git credentials during cloning and in other pipeline containers."
},
"trusted": {
"trusted": "Trusted",
"desc": "Underlying pipeline containers get access to escalated capabilities like mounting volumes or access to git credentials.",
"network": {
"network": "Network",
"desc": "Underlying pipeline containers get access to network privileges like changing DNS."
Expand Down