diff --git a/zuul/configloader.py b/zuul/configloader.py index c9250245eb..f175bab8d6 100644 --- a/zuul/configloader.py +++ b/zuul/configloader.py @@ -460,6 +460,8 @@ class JobParser(object): else: secret_name = secret_config['name'] secret = layout.secrets[secret_config['secret']] + if secret_name == 'zuul': + raise Exception("Secrets named 'zuul' are not allowed.") if secret.source_context != job.source_context: raise Exception( "Unable to use secret %s. Secrets must be " @@ -574,6 +576,8 @@ class JobParser(object): variables = conf.get('vars', None) if variables: + if 'zuul' in variables: + raise Exception("Variables named 'zuul' are not allowed.") job.updateVariables(variables) allowed_projects = conf.get('allowed-projects', None) diff --git a/zuul/executor/server.py b/zuul/executor/server.py index 8f4cc1d443..cb139c63ee 100644 --- a/zuul/executor/server.py +++ b/zuul/executor/server.py @@ -1275,6 +1275,8 @@ class AnsibleJob(object): secrets = playbook['secrets'] if secrets: if 'zuul' in secrets: + # We block this in configloader, but block it here too to make + # sure that a job doesn't pass secrets named zuul. raise Exception("Defining secrets named 'zuul' is not allowed") jobdir_playbook.secrets_content = yaml.safe_dump( secrets, default_flow_style=False) @@ -1379,6 +1381,8 @@ class AnsibleJob(object): # TODO(mordred) Hack to work around running things with python3 all_vars['ansible_python_interpreter'] = '/usr/bin/python2' if 'zuul' in all_vars: + # We block this in configloader, but block it here too to make + # sure that a job doesn't pass variables named zuul. raise Exception("Defining vars named 'zuul' is not allowed") all_vars['zuul'] = args['zuul'].copy() all_vars['zuul']['executor'] = dict(