This issue has been addressed in version 0.23.2. Rather, the greater risk is that users who restrict a secret to the "no commands" option and use image restriction can still have their secret value exposed via substitution tinkering, which turns the image and command restrictions into a false sense of security. This is a risk that exists for many CICD systems (like GitHub Actions) that handle sensitive runtime variables. There is a responsibility on the end-user to understand how values injected into a plugin are used. A docker image (plugin) can easily expose secrets if they are not handled properly, or altered in some way. While Vela provides secrets masking, secrets exposure is not entirely solved by the masking process. Parameters should therefore be treated as insensitive. Plugin parameters are not designed for sensitive values and are often intentionally printed throughout execution for informational/debugging purposes. **To exploit this** the pipeline author must be supplying the secrets to a plugin that is designed in such a way that will print those parameters in logs. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and - by using common substitution string manipulation - can bypass log masking and expose secrets without the use of the commands block. Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |