You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An insecure PYTHON_ARGS environment variable in the CI/CD runners allows members of a repository with permission to manually trigger a pipeline
Technical Description
When the disable_entrypoint_overwrite setting was enabled (https://docs.gitlab.com/runner/configuration/advanced-configuration.html), preventing committers from overriding the entrypoint of the convert image. The entrypoint assumes a users ability to execute arbitrary commands on the runner instance, hence including insecure PYTHON_ARGS exposed no further risk.
Commit malicious Python script to the repository (touch ./source/my-evil-script.py)
Manually run the CI/CD pipelines with PYTHON_ARGS=./source/my-evil-script.py
Impact
Repository members with permission to manually run a convert pipeline execute arbitrary Python code on the GitLab Runner instance, allowing to circumvent the intended security measure
Recommendation
With entrypoint override disabled, do not include PYTHON_ARGS.
The text was updated successfully, but these errors were encountered:
An insecure PYTHON_ARGS environment variable in the CI/CD runners allows members of a repository with permission to manually trigger a pipeline
Technical Description
When the
disable_entrypoint_overwrite
setting was enabled (https://docs.gitlab.com/runner/configuration/advanced-configuration.html), preventing committers from overriding the entrypoint of the convert image. The entrypoint assumes a users ability to execute arbitrary commands on the runner instance, hence including insecure PYTHON_ARGS exposed no further risk.Steps to reproduce
touch ./source/my-evil-script.py
)PYTHON_ARGS=./source/my-evil-script.py
Impact
Repository members with permission to manually run a convert pipeline execute arbitrary Python code on the GitLab Runner instance, allowing to circumvent the intended security measure
Recommendation
The text was updated successfully, but these errors were encountered: