Commits on Jan 25, 2022

1. TEP-0099: Parameters in Script …

   This PR adds the problem statement for the TEP and identifies possible solutions.
   The proposal will be added in a subsequent PR after discussions of alternatives.
   
   Using `Parameter` variables directly in `script` blocks in `Tasks` is a footgun
   in two ways:
   - **Security**: It is easy for a `Task` _author_ to accidentally introduce a vector
     for code injection and, by contrast, difficult for a `Task` _user_ to verify that
     such an injection can't or hasn't taken place.
   - **Reliability**: It is easy for a `Task` _user_ to accidentally pass in a `Parameter`
     with a character that would make the `Script` invalid and fail the `Task`, making
     the `Task` extremely fragile.
   
   To solve the above problems, this TEP aims to:
   - Introduce a safe and reliable way to access `Parameter` variables from `Scripts`,
     and update the documentation and *Tekton Catalog* with the new approach.
   - Disallow use of `Parameter` variables directly in `script` blocks of `Steps` in
     *Tekton Pipelines V1 API*.
   
   References:
   * Issues:
     * tektoncd/pipeline#3226
     * tektoncd/triggers#675
     * tektoncd/plumbing#971
   * [Catalog Guidance to Avoid Using `Parameters` in `Script` Blocks](https://github.com/tektoncd/catalog/blob/main/recommendations.md#dont-use-interpolation-in-scripts-or-string-arguments)
   * Tekton Enhancement Proposals:
     * [TEP-0017: Shell-Escaped Parameters](tektoncd#208)
     * [TEP-0023: Implicit Parameters](https://github.com/tektoncd/community/blob/main/teps/0023-implicit-mapping.md)
   
   Co-authored-by: Scott Seaward <[email protected]>

   

   jerop and Scott Seaward committed Jan 25, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for 7a5cde6
   • Browse repository at this point

   Copy the full SHA

   7a5cde6 View commit details

   Browse the repository at this point in the history