Remote Code Execution in convert CI/CD stage through PYTHON_ARGS environment variable

[gronke]

An insecure PYTHON_ARGS environment variable in the CI/CD runners allows members of a repository with permission to manually trigger a pipeline

Technical Description

When the disable_entrypoint_overwrite setting was enabled (https://docs.gitlab.com/runner/configuration/advanced-configuration.html), preventing committers from overriding the entrypoint of the convert image. The entrypoint assumes a users ability to execute arbitrary commands on the runner instance, hence including insecure PYTHON_ARGS exposed no further risk.

Steps to reproduce

1. Create pentext project (with source/report.xml existing)
2. Commit malicious Python script to the repository (touch ./source/my-evil-script.py)
3. Manually run the CI/CD pipelines with PYTHON_ARGS=./source/my-evil-script.py

Impact

Repository members with permission to manually run a convert pipeline execute arbitrary Python code on the GitLab Runner instance, allowing to circumvent the intended security measure

Recommendation

• With entrypoint override disabled, do not include PYTHON_ARGS.