Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't expose task data via api #4108

Merged
merged 7 commits into from
Sep 14, 2024
Merged

Conversation

6543
Copy link
Member

@6543 6543 commented Sep 13, 2024

Currently an instance admin can just querny all secrets of active or pending workflows:

curl 'http://1.2.3.4:8000/api/queue/info' -H 'Cookie: user_sess=some.jwt.token' | jq .pending[].data | tr -d '"' | base64 -d | jq .config.secrets

this is not an serious issue but we never use this info in the webui anyway so we should just not make it available

@6543 6543 added enhancement improve existing features breaking will break existing installations if no manual action happens security labels Sep 13, 2024
@6543 6543 added this to the 3.0.0 milestone Sep 13, 2024
@woodpecker-bot
Copy link
Collaborator

Deploying preview to https://woodpecker-ci-woodpecker-pr-4108.surge.sh

server/api/agent.go Outdated Show resolved Hide resolved
@anbraten anbraten changed the title Dont leak Task Data to API Don't expose task data via api Sep 14, 2024
@6543 6543 requested a review from anbraten September 14, 2024 14:01
@6543 6543 enabled auto-merge (squash) September 14, 2024 15:31
@6543 6543 merged commit 41b2127 into woodpecker-ci:main Sep 14, 2024
7 checks passed
@6543 6543 deleted the dont-leak-task-data branch September 15, 2024 00:20
@woodpecker-bot woodpecker-bot mentioned this pull request Sep 15, 2024
1 task
@woodpecker-bot woodpecker-bot mentioned this pull request Dec 14, 2024
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking will break existing installations if no manual action happens enhancement improve existing features security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants