Skip to content

Commit f94b05f

Browse files
Joshua-AndersonJoshua-Anderson
authored
fix(CI): don't allow untrusted commands when uploading (#154)
1 parent ac06c69 commit f94b05f

2 files changed

Lines changed: 22 additions & 18 deletions

File tree

Jenkinsfile

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
11
def workpath_linux = "/src/github.com/deis/workflow-cli"
2-
def keyfile = "tmp/key.json"
32

43
def getBasePath = { String filepath ->
54
def filename = filepath.lastIndexOf(File.separator)
@@ -15,11 +14,27 @@ def make = { String target ->
1514
}
1615
}
1716

18-
def upload_artifacts = { String filepath ->
17+
def gcs_cleanup_cmd = "sh -c 'rm -rf /.config/*'"
18+
def gcs_bucket = "gs://workflow-cli"
19+
def gcs_key = "tmp/key.json"
20+
21+
def gcs_cmd = { String cmd ->
22+
gcs_cmd = "docker run --rm -v ${pwd()}/tmp:/.config -v ${pwd()}/_dist:/upload google/cloud-sdk:latest "
23+
try {
24+
sh(gcs_cmd + cmd)
25+
} catch(error) {
26+
sh(gcs_cmd + gcs_cleanup_cmd)
27+
error 'gcs error'
28+
}
29+
}
30+
31+
def upload_artifacts = {
1932
withCredentials([[$class: 'FileBinding', credentialsId: 'e80fd033-dd76-4d96-be79-6c272726fb82', variable: 'GCSKEY']]) {
20-
sh "mkdir -p ${getBasePath(filepath)}"
21-
sh "cat \"\${GCSKEY}\" > ${filepath}"
22-
make 'upload-gcs'
33+
sh "mkdir -p ${getBasePath(gcs_key)}"
34+
sh "cat \"\${GCSKEY}\" > ${gcs_key}"
35+
gcs_cmd 'gcloud auth activate-service-account -q --key-file /.config/key.json'
36+
gcs_cmd "gsutil -mq cp -a public-read -r /upload/* ${gcs_bucket}"
37+
gcs_cmd gcs_cleanup_cmd
2338
}
2439
}
2540

@@ -128,7 +143,7 @@ parallel(
128143
env.VERSION = git_commit.take(7)
129144
make 'build-revision'
130145

131-
upload_artifacts(keyfile)
146+
upload_artifacts()
132147
}
133148
}
134149
},
@@ -144,7 +159,7 @@ parallel(
144159
make 'bootstrap'
145160
make 'build-latest'
146161

147-
upload_artifacts(keyfile)
162+
upload_artifacts()
148163
} else {
149164
echo "Skipping build of latest artifacts because this build is not on the master branch (branch: ${git_branch})"
150165
}

Makefile

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,6 @@ DEV_ENV_PREFIX_CGO_ENABLED := docker run --rm -e CGO_ENABLED=1 -v ${CURDIR}:${DE
1818
DEV_ENV_CMD := ${DEV_ENV_PREFIX} ${DEV_ENV_IMAGE}
1919
DIST_DIR := _dist
2020

21-
GSUTIL_IMAGE := google/cloud-sdk:latest
22-
GSUTIL_PREFIX := docker run --rm -v ${CURDIR}/tmp:/.config -v ${CURDIR}/${DIST_DIR}:/upload
23-
GSUTIL_CMD := ${GSUTIL_PREFIX} ${GSUTIL_IMAGE}
24-
GCS_BUCKET ?= "gs://workflow-cli"
25-
2621
GO_FILES = $(wildcard *.go)
2722
GO_LDFLAGS = -ldflags "-s -X ${repo_path}/version.BuildVersion=${VERSION}"
2823
GO_PACKAGES = cmd parser cli $(wildcard pkg/*)
@@ -105,12 +100,6 @@ test-style:
105100
test-unit:
106101
${DEV_ENV_PREFIX_CGO_ENABLED} ${DEV_ENV_IMAGE} sh -c '${GOTEST} $$(glide nv)'
107102

108-
upload-gcs:
109-
${GSUTIL_CMD} sh -c 'gcloud auth activate-service-account -q --key-file /.config/key.json'
110-
${GSUTIL_CMD} sh -c 'gsutil -mq cp -a public-read -r /upload/* ${GCS_BUCKET}'
111-
# This has to run in the container to delete files created by the container
112-
${GSUTIL_CMD} sh -c 'rm -rf /.config/*'
113-
114103
# Set local user as owner for files
115104
fileperms:
116105
${DEV_ENV_PREFIX_CGO_ENABLED} ${DEV_ENV_IMAGE} chown -R ${UID}:${GID} .

0 commit comments

Comments
 (0)