OneDev
Dashboards
Projects
Global Views
Code Search
server
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
Audit Log
OneDev 14.0.6
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues OD-2226
Job secret can be read in build log (OD-2226)
lordran opened 1 year ago

I created a user with code writer role for testing.

image_5.png

How to let the user can read and write code, and start job, but forbiden to see job secrets used by job and including param with a secret type. If I restrict the job secret like specific branch or group or user, job secrets still can be see:

image.png

just when starting the job will cause a authorization error.

The user is a code writer, so he can write their own job( actually write .onedev-buildspec.yml ), and print job secrets in a step. I know "Note that secret value less than 5 characters will not be masked in build log", but I can still print kubeconfig(far large than 5) in a test step:

image_3.png

image_4.png

Please check this.

OneDev version: 11.6.6

  • Robin Shen commented 1 year ago

    As long as user has permission to access job secret from build spec crafted by him, the user can get the secret value even if it is masked in log. For instance, they can modify the job to write secret into a text file and then publish the text file as artifacts.

    To protect the job secret from seen by certain code writers, you should configure secret authorization to only allow it to be accessible from protected branches requiring reviews from those code writers.

  • lordran commented 1 year ago

    Hi, @robin

    “they can modify the job to write secret into a text file and then publish the text file as artifacts”,indeed,I have tested before.

    Yet another question: if the job secret should be masked in build log? I tested and print the unmasked content as described above.

    BTW, is there a way to set global configurations or secrets? We have many parent projects, we must set the same secret again and again :(

  • Robin Shen commented 1 year ago

    Secret with multi-line can not be masked in build log, and I will add note for that. You may define job secret in parent project, and all child projects will be able to use that.

  • lordran commented 1 year ago

    “You may define job secret in parent project, and all child projects will be able to use that”,yes,but we have many parent projects. 😟

  • Robin Shen commented 1 year ago

    You may consider create a root project, and move all parent projects under this root project.

  • Robin Shen changed state to 'Closed' 1 year ago
    Previous Value Current Value 
    Open
    		 
    Closed
issue 1/1
Type
Bug
Priority
Normal
Assignee
Robin Shen
Affected Versions
11.6.6
Labels
No labels
Issue Votes (0)
Login to vote
Watchers (2)
Reference
OD-2226
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover