Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to set custom trusted clone plugins #4352

Merged
merged 19 commits into from
Nov 26, 2024

Conversation

qwerty287
Copy link
Contributor

closes #2601

@qwerty287 qwerty287 added enhancement improve existing features breaking will break existing installations if no manual action happens labels Nov 11, 2024
@qwerty287 qwerty287 added this to the 3.0.0 milestone Nov 11, 2024
@qwerty287 qwerty287 requested a review from a team November 11, 2024 07:12
@woodpecker-bot
Copy link
Collaborator

woodpecker-bot commented Nov 11, 2024

Deployment of preview was torn down

@pat-s
Copy link
Contributor

pat-s commented Nov 11, 2024

How is that different to WOODPECKER_PLUGINS_TRUSTED_CLONE?

@xoxys
Copy link
Member

xoxys commented Nov 11, 2024

You can now set it per repo as well.

@6543
Copy link
Member

6543 commented Nov 11, 2024

You can now set it per repo as well.

did not checked the code jet - but ony an instance admin should be able to change it

@6543
Copy link
Member

6543 commented Nov 11, 2024

one question (idea) that comes into my mind: why not add the config into TrustedConfiguration ?

server/model/repo.go Outdated Show resolved Hide resolved
@xoxys
Copy link
Member

xoxys commented Nov 11, 2024

did not checked the code jet - but ony an instance admin should be able to change it

Repeating it doesnt help. Can we keep the discussion in the issue? You never responded to #2601 (comment)

@qwerty287
Copy link
Contributor Author

Why the instance admin? This is about per-repo/per-user credentials, so the repo admins should decide how they are used.

qwerty287 and others added 3 commits November 15, 2024 08:22
Co-authored-by: Thomas Anderson <127358482+zc-devs@users.noreply.github.com>
@6543
Copy link
Member

6543 commented Nov 19, 2024

Why the instance admin? This is about per-repo/per-user credentials, so the repo admins should decide how they are used.

on public instances like e.g. codeberg:

  1. an malicious aktor creates a new repo (-> repo admin (same is valid for org))
  2. change the trusted clone plugin to one that extracts netrc and send it tho him
  3. motivate other users to create pull requests to e.g. fix a type or what not
  4. other users got there account hijacked

@xoxys
Copy link
Member

xoxys commented Nov 19, 2024

But this would need a private repo then. And if the repo is private you can not easily convince people to contribute to exfiltrate their netrc credentials.

@6543
Copy link
Member

6543 commented Nov 19, 2024

limited repos are enouth ...

@xoxys
Copy link
Member

xoxys commented Nov 19, 2024

What are limited repos? Netrc credentials are only required for cloning private repos and at least for gh there is only private/public.

@pat-s
Copy link
Contributor

pat-s commented Nov 19, 2024

Limited -> logged-in users only
Private -> Fully-private / only visible to explicit org/repo members


How about adding a global option which allows changing WOODPECKER_PLUGINS_TRUSTED_CLONE on a repo level in the first place?

@xoxys
Copy link
Member

xoxys commented Nov 19, 2024

Ok this only applies to gitea/forgejo then? Global option to toggle it sounds good to me.

@qwerty287
Copy link
Contributor Author

I still don't get why. Cloning should always happen with the credentials from the "repo-user", i.e. the user that activeated the repo. If you now have a malicious repo and somebody creates a PR to this, how can this expose credentials except the repo-user ones?

@anbraten
Copy link
Member

I still don't get why. Cloning should always happen with the credentials from the "repo-user", i.e. the user that activeated the repo. If you now have a malicious repo and somebody creates a PR to this, how can this expose credentials except the repo-user ones?

I think so as well. The person activating a repo (or repairing later on) will be used for cloning. You could only try to ask someone to create an org repo for you and then steal those credentials (which is possible already).

@xoxys
Copy link
Member

xoxys commented Nov 19, 2024

Is this currently really the case already? I thought cloning is done by the user who made the commit.

@qwerty287
Copy link
Contributor Author

That's actually impossible because wp can't have the credentials if the user who opens a pr is not registered at the wp instance (for example any non-maintainer on our repos).

@pat-s
Copy link
Contributor

pat-s commented Nov 19, 2024

That's actually impossible because wp can't have the credentials if the user who opens a pr is not registered at the wp instance (for example any non-maintainer on our repos).

Makes sense. Hence, all security concerns don't apply?

@zc-devs
Copy link
Contributor

zc-devs commented Nov 19, 2024

You could only try to ask someone to create an org repo for you and then steal those credentials

Not necessary to ask. There could be a couple of repo admins in the org. One admin adds a repo, another adds a custom image and steals the creds of the first one. But this is matter of trust between the admins of an org. It's unlikely that they would do this in their right minds.

which is possible already

How?

user who opens a pr is not registered

There is crons also.


This magic should be in the docs (#4232). Seems, Bitbucket Datacenter works differently in regard of cloning.

@6543
Copy link
Member

6543 commented Nov 19, 2024

That's actually impossible because wp can't have the credentials if the user who opens a pr is not registered at the wp instance (for example any non-maintainer on our repos).

Makes sense. Hence, all security concerns don't apply?

uh nice - that's one of the things I was going to have to lookup :)

in this case I'm ok with as is :)

Copy link
Contributor

@pat-s pat-s left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine for you given the discussion above.

docs/docs/20-usage/75-project-settings.md Outdated Show resolved Hide resolved
server/model/repo.go Outdated Show resolved Hide resolved
web/src/assets/locales/en.json Outdated Show resolved Hide resolved
@6543 6543 mentioned this pull request Nov 25, 2024
@pat-s pat-s merged commit 5bb7cef into woodpecker-ci:main Nov 26, 2024
6 of 7 checks passed
@woodpecker-bot woodpecker-bot mentioned this pull request Nov 26, 2024
1 task
@woodpecker-bot woodpecker-bot mentioned this pull request Dec 14, 2024
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking will break existing installations if no manual action happens enhancement improve existing features security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Replace NetrcOnlyTrusted with list of trusted plugins for netrc
7 participants