agent icon indicating copy to clipboard operation
agent copied to clipboard

Published 20 hours ago verified publisher icon buildkite

Allow plugins to be restricted by an expression

Open lox opened this issue 6 years ago • 5 comments

Up until this point, we've recommended that folks concerned with security in the agent disable plugins because they could allow a variety of attacks, specifically:

  • Users could reference plugins that execute arbitrary code which might by-pass the --no-command-eval option set on the agent
  • Upstream plugin could be compromised and changed, which would result in a way to execute arbitrary code

We've recommended that people either disable them, or filter then with tools like https://github.com/buildkite/buildkite-allowed-plugins-hook-example.

This aims to use the Conditional language to allow folks to restrict which agents an agent will allow.

For example:

buildkite-agent start \
  --allow-plugin-if 'plugin.vendored == true || plugin.location == "buildkite/llamas")'

lox avatar Jun 16 '19 04:06 lox

Still todo:

  • [ ] Conditionally allow plugins if --plugin-condition is set along side --no-command-eval (unless --no-plugins is also set)

lox avatar Jul 21 '19 08:07 lox

This is a cool use of conditionals. The plugin JSON env var blob is a total pain to deal with in hooks (https://github.com/buildkite/buildkite-allowed-plugins-hook-example). This makes it way easier to create a list of allowed plugins yeah? Wonder what that looks like in this syntax?

All other security logic is currently done via hooks (e.g. https://buildkite.com/docs/agent/v3/securing) and boolean configs. Any thoughts on making some of that stuff able to be done via conditional logic too? Stuff like repos, teams, plugins, etc? I.e. are there more configs we should add with conditional style logic? Or you thinking everything else would stay as-is?

I think there’s another issue I was hoping to address, that wasn’t related to locked down agents: helping people move to a world where digests are required for github.com repos by default. That was probably by I was shooting for just a boolean config for it.

toolmantim avatar Jul 21 '19 10:07 toolmantim

@lox feels on renaming to --allow-plugin-if ?

keithpitt avatar Sep 12 '19 08:09 keithpitt

We use if in the pipeline.yml file, so I was thinking of using the same-ish nomenclature with the if

keithpitt avatar Sep 12 '19 08:09 keithpitt

@lox feels on renaming to --allow-plugin-if ?

+1 - it reads more like authorization, then.

petemounce avatar Oct 07 '19 14:10 petemounce