Add blocklist of environment variables who could alter execution of plugins (#3934)

2025-11-29 21:48:14 +02:00 · 2024-07-18 22:54:29 +02:00
parent 764329ed1d
commit 31a45e5633
3 changed files with 60 additions and 1 deletions
--- a/pipeline/frontend/yaml/compiler/convert.go
+++ b/pipeline/frontend/yaml/compiler/convert.go
@@ -131,9 +131,14 @@ func (c *Compiler) createProcess(container *yaml_types.Container, stepType backe
 			return nil, err
 		}

+		toUpperTarget := strings.ToUpper(requested.Target)
+		if !environmentAllowed(toUpperTarget, stepType) {
+			continue
+		}
+
 		environment[requested.Target] = secretValue
 		// TODO: deprecated, remove in 3.x
-		environment[strings.ToUpper(requested.Target)] = secretValue
+		environment[toUpperTarget] = secretValue
 	}

 	if utils.MatchImage(container.Image, c.escalated...) && container.IsPlugin() {