From e7d27a5af1960664470ba3614fe7faf43d46693b Mon Sep 17 00:00:00 2001 From: DavidGOrtega Date: Fri, 10 May 2024 00:04:13 +0200 Subject: [PATCH] Add exclusion list for environment variables (#802) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Restrict runner ENV access * Retrieve exclusion list from environment variable * Apply suggestions from code review * Fix “the blunder of the century” https://www.youtube.com/watch?v=vcFBwt1nu2U * Add warning for GitHub runners * Update github.js * Update github.js --------- Co-authored-by: Helio Machado <0x2b3bfa0+git@googlemail.com> --- src/cml.js | 9 ++++++++- src/drivers/bitbucket_cloud.js | 4 ++-- src/drivers/github.js | 9 +++++++-- src/drivers/gitlab.js | 5 +++-- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/src/cml.js b/src/cml.js index 59624fc5e..92b136080 100644 --- a/src/cml.js +++ b/src/cml.js @@ -421,7 +421,14 @@ class CML { } async startRunner(opts = {}) { - return await this.getDriver().startRunner(opts); + const env = {}; + const sensitive = [ + '_CML_RUNNER_SENSITIVE_ENV', + ...process.env._CML_RUNNER_SENSITIVE_ENV.split(':') + ]; + for (const variable in process.env) + if (!sensitive.includes(variable)) env[variable] = process.env[variable]; + return await this.getDriver().startRunner({ ...opts, env }); } async registerRunner(opts = {}) { diff --git a/src/drivers/bitbucket_cloud.js b/src/drivers/bitbucket_cloud.js index 4c56986f8..76680da79 100644 --- a/src/drivers/bitbucket_cloud.js +++ b/src/drivers/bitbucket_cloud.js @@ -166,7 +166,7 @@ class BitbucketCloud { async startRunner(opts) { const { projectPath } = this; - const { workdir, name, labels } = opts; + const { workdir, name, labels, env } = opts; winston.warn( `Bitbucket runner is working under /tmp folder and not under ${workdir} as expected` @@ -197,7 +197,7 @@ class BitbucketCloud { ${gpu ? '--runtime=nvidia -e NVIDIA_VISIBLE_DEVICES=all' : ''} \ docker-public.packages.atlassian.com/sox/atlassian/bitbucket-pipelines-runner:1`; - return spawn(command, { shell: true }); + return spawn(command, { shell: true, env }); } catch (err) { throw new Error(`Failed preparing runner: ${err.message}`); } diff --git a/src/drivers/github.js b/src/drivers/github.js index 70d216756..ad5e88c13 100644 --- a/src/drivers/github.js +++ b/src/drivers/github.js @@ -255,7 +255,11 @@ class Github { } async startRunner(opts) { - const { workdir, single, name, labels } = opts; + const { workdir, single, name, labels, env } = opts; + + this.warn( + 'cloud credentials are no longer available on self-hosted runner steps; please use step.env and secrets instead' + ); try { const runnerCfg = resolve(workdir, '.runner'); @@ -295,7 +299,8 @@ class Github { ); return spawn(resolve(workdir, 'run.sh'), { - shell: true + shell: true, + env }); } catch (err) { throw new Error(`Failed preparing GitHub runner: ${err.message}`); diff --git a/src/drivers/gitlab.js b/src/drivers/gitlab.js index 489f64d35..3360e39c7 100644 --- a/src/drivers/gitlab.js +++ b/src/drivers/gitlab.js @@ -183,7 +183,8 @@ class Gitlab { single, labels, name, - dockerVolumes = [] + dockerVolumes = [], + env } = opts; const gpu = await gpuPresent(); @@ -222,7 +223,7 @@ class Gitlab { ${dockerVolumesTpl} \ ${single ? '--max-builds 1' : ''}`; - return spawn(command, { shell: true }); + return spawn(command, { shell: true, env }); } catch (err) { if (err.message === 'Forbidden') err.message +=