Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize param usage in some plumbing task script blocks #977

Merged
merged 1 commit into from Jan 6, 2022
Merged

Sanitize param usage in some plumbing task script blocks #977

merged 1 commit into from Jan 6, 2022

Conversation

ghost
Copy link

@ghost ghost commented Dec 22, 2021

Changes

Prior to this commit we had several script blocks using the syntax
$(params.foo) to pull in param values. As per #971
it is advised to pull these usages into environment variables to
improve robustness (unexpected characters in param values like quotes and ampersands
can cause confusing issues when a script runs) and to remove
one avenue of script injection in scenarios when a param includes
user-submitted content.

This PR patches resources in the cd, images, nightly-release,
nightly-tests and release/base directories to move param referencing
into environment variables.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide
for more details.

@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Dec 22, 2021
Sanitize param usage in some plumbing task script blocks
53de299 
Prior to this commit we had several script blocks using the syntax
`$(params.foo)` to pull in param values. As per #971
it is advised to pull these usages into environment variables to
improve robustness (unexpected characters in param values like quotes and ampersands
can cause confusing issues when a script runs) and to remove
one avenue of script injection in scenarios when a param includes
user-submitted content.

This PR patches resources in the cd, images, nightly-release,
nightly-tests and release/base directories to move param referencing
into environment variables.
@jerop jerop mentioned this pull request Dec 23, 2021
Closed
6 tasks
jerop
jerop approved these changes Dec 23, 2021
View reviewed changes
Copy link
Member

@jerop jerop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @sbwsg!

@tekton-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jerop

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 23, 2021
@jerop jerop linked an issue Dec 23, 2021 that may be closed by this pull request
Use Environment Variables instead of Parameters in Script #971
Closed
6 tasks
@nikhil-thomas
Copy link
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jan 5, 2022
@ghost
Copy link
Author

ghost commented Jan 6, 2022

/kind misc

@tekton-robot tekton-robot added the kind/misc Categorizes issue or PR as a miscellaneuous one. label Jan 6, 2022
@ghost
Copy link
Author

ghost commented Jan 6, 2022

/test check-pr-has-kind-label

@tekton-robot tekton-robot merged commit 9be6150 into tektoncd:main Jan 6, 2022
afrittoli
afrittoli reviewed Jan 13, 2022
View reviewed changes
tekton/resources/nightly-tests/base/deploy_tekton_component.yaml
Comment on lines +15 to +21
env:
- name: PACKAGE
value: $(params.package)
- name: VERSION
value: $(params.version)
- name: EXTRA_FILE
value: $(params.extra-file)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You cannot have an env directly under spec, it must either go into steps or into a stepTemplate.

afrittoli
afrittoli reviewed Jan 13, 2022
View reviewed changes
tekton/resources/nightly-tests/bastion-p/k8s_cluster_setup.yaml
Comment on lines +36 to +44
env:
- name: REMOTE_HOST
value: $(params.remote-host)
- name: REMOTE_USER
value: $(params.remote-user)
- name: REMOTE_PORT
value: $(params.remote-port)
- name: ACTION
value: $(params.action)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto

afrittoli
afrittoli reviewed Jan 13, 2022
View reviewed changes
tekton/resources/release/base/prerelease_checks.yaml
Comment on lines +28 to +34
env:
- name: PACKAGE
value: $(params.package)
- name: VERSION_TAG
value: $(params.versionTag)
- name: RELEASE_BUCKET
value: $(params.releaseBucket)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abayer abayer Awaiting requested review from abayer

Assignees

@nikhil-thomas nikhil-thomas

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use Environment Variables instead of Parameters in Script
4 participants
@tekton-robot @nikhil-thomas @afrittoli @jerop