woodpecker icon indicating copy to clipboard operation
woodpecker copied to clipboard

Published 20 hours ago verified publisher icon woodpecker-ci

[Important] Limit secret access to plugins only

Open 6543 opened this issue 1 year ago • 3 comments

similar to the images filter for secrets, add a checkbox to only inject secret if step is exec as plugin.

this ensure only the intended entry-point do get the secrets to handle.

this does help if a plugin is not based from scratch image but do contain an shell that could be used.

6543 avatar Aug 03 '22 16:08 6543

I don't see how this could protect secrets? You could just create a plugin (normal docker image) that leaks the secrets, couldn't you?

anbraten avatar Aug 14 '22 16:08 anbraten

this could be helpful in combination with trusted images ex. currently setting trusted image woodpeckerci/plugin-git you can still use:

image: woodpeckerci/plugin-git
commands:
  - echo ${SECRET}

adding such option would prevent that

lafriks avatar Aug 15 '22 15:08 lafriks 

image: woodpeckerci/plugin-git
commands:
  - echo ${SECRET} | base58

-> it's a trusted image -> secret is leaked (you just have to decode it again)

I dont like to go more into details what else you could do ... - but It's a open risk (if repo is not gated)!

6543 avatar Aug 15 '22 18:08 6543

bounty: 50$

6543 avatar Oct 26 '22 13:10 6543