ed7f9da75e
It is possible to circumvent the use of `allowed-projects` in untrusted projects by creating a change which `Depends-On` a change which alters a project definition. This behavior may be unexpected, so documentation has been updated with warnings to avoid relying on it in sensitive cases. It may have been possible to expose a secret, or use resources protected by a secret, if a job using a secret was defined in an untrusted project on a system with an independent pre-merge post-review pipeline -- that is, a pipeline with `post-review` set to true, `manager` set to `independent`, and which operated on changes before they merged. To prevent disclosure or use in this situation, `allowed-projects` is now automatically set to the current project when a secret is used in a job defined in an untrusted project, and it can not be overridden. The test_trusted_secret_inheritance_gate test is removed because it only tested that jobs with secrets in an untrusted repo were able to run in a trusted repo. That is no longer possible. Change-Id: I77f6a011bca08a2433137dc29597b7cc2757adb1 Story: 2004837 Task: 29037
24 lines
1018 B
YAML
24 lines
1018 B
YAML
---
|
|
security:
|
|
- |
|
|
Jobs with secrets in untrusted projects now automatically set
|
|
`allowed-projects`.
|
|
|
|
It is possible to circumvent the use of `allowed-projects` in
|
|
untrusted projects by creating a change which `Depends-On` a
|
|
change which alters a project definition. This behavior may be
|
|
unexpected, so documentation has been updated with warnings to
|
|
avoid relying on it in sensitive cases.
|
|
|
|
It may have been possible to expose a secret, or use resources
|
|
protected by a secret, if a job using a secret was defined in an
|
|
untrusted project on a system with an independent pre-merge
|
|
post-review pipeline -- that is, a pipeline with `post-review` set
|
|
to true, `manager` set to `independent`, and which operated on
|
|
changes before they merged.
|
|
|
|
To prevent disclosure or use in this situation, `allowed-projects`
|
|
is now automatically set to the current project when a secret is
|
|
used in a job defined in an untrusted project, and it can not be
|
|
overridden.
|