summaryrefslogtreecommitdiff
path: root/releasenotes/notes/app-auth-bd38c5566d8130b3.yaml
diff options
context:
space:
mode:
authorTobias Henkel <tobias.henkel@bmw.de>2020-07-20 18:12:07 +0200
committerTobias Henkel <tobias.henkel@bmw.de>2020-07-21 19:20:24 +0200
commit49fe527edb2c27f67c074be72e3fb6d665400de7 (patch)
tree2e851a40b29cbe15ca9a36b92f6cfe728d0eb3d8 /releasenotes/notes/app-auth-bd38c5566d8130b3.yaml
parent6161ad75a83cd8e8c3bd347ea7f40b0e2d6b5c33 (diff)
downloadzuul-49fe527edb2c27f67c074be72e3fb6d665400de7.tar.gz
Block localhost shell tasks in untrusted playbooks
Zuul was designed to block local code execution in untrusted environments to not only rely on bwrap to contain a job. This got broken since the creation of a command plugin that injects the zuul_job_id which is required for log streaming. However this plugin doesn't do a check if the task is a localhost task. Further it is required in trusted and untrusted environments due to log streaming. Thus we need to fork this plugin and restrict the variant that is used in untrusted environments. We do this by moving actiongeneral/command.py back to action/*. We further introduce a new catecory actiontrusted which gets the unrestricted version of this plugin. Change-Id: If81cc46bcae466f4c071badf09a8a88469ae6779 Story: 2007935 Task: 40391
Diffstat (limited to 'releasenotes/notes/app-auth-bd38c5566d8130b3.yaml')
0 files changed, 0 insertions, 0 deletions