woodpecker
woodpecker copied to clipboard
[Important] Limit secret access to plugins only
similar to the images filter for secrets, add a checkbox to only inject secret if step is exec as plugin.
this ensure only the intended entry-point do get the secrets to handle.
this does help if a plugin is not based from scratch image but do contain an shell that could be used.
I don't see how this could protect secrets? You could just create a plugin (normal docker image) that leaks the secrets, couldn't you?
this could be helpful in combination with trusted images ex. currently setting trusted image woodpeckerci/plugin-git
you can still use:
image: woodpeckerci/plugin-git
commands:
- echo ${SECRET}
adding such option would prevent that
image: woodpeckerci/plugin-git
commands:
- echo ${SECRET} | base58
-> it's a trusted image -> secret is leaked (you just have to decode it again)
I dont like to go more into details what else you could do ... - but It's a open risk (if repo is not gated)!
bounty: 50$