You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The warning introduced by #760 is a bit confusing. It's not clear who can do this attack. I.e. can the attack be performed by:
Only people with write privs to the victim repo? (Seems plausible since Cirrus repo config has an option for only allowing such users to write to caches.)
Only people who create a malicious PR to the victim repo? (Seems plausible since the warning mentions PR's.)
Let's say you have a PR with a Dockerfile like this from a potentially untrusted contributor:
FROM alpine:latest
RUN apk add --no-cache ...
ADD ci.sh /bin/ci.sh
Since contents of the ci.sh script is not part of the caching key for the image you can't be 100% sure that the ci.sh script from the PR is the actual ci.sh script that is inside the container and therefore it is a potential risk.
We recently migrated the internals of the Cirrus configuration parser from Kotlin to Go and now it will be much easier to include the contents of such scripts into the cache key. I've created cirruslabs/cirrus-cli#447 so please follow for the updates.
Description
The warning introduced by #760 is a bit confusing. It's not clear who can do this attack. I.e. can the attack be performed by:
Context
Knowing who can do this attack will enable us to evaluate our risk and manage it accordingly.
Anything Else
N/A.
The text was updated successfully, but these errors were encountered: