Pass the job payload to the GitLab Runner custom executor
Release notes
This feature implements passing the CI job payload to the custom executor.
Overview
The custom executor was built with the goal of supporting SetUID, for this to work, the user identifier from the GitLab instance to the runner shouldn’t be affected by user input.
As it is now, a user can add a project or gitlab-ci variable with the same name as GITLAB_USER_LOGIN
. This means that there is no way to trust the value of the user login for making decisions about who can trigger jobs.
Goal
Send the gitlab_user_login in a way that does not allow project variables or gitlab-ci variables (or any user input) to change the value.
Also send Project ID, Pipeline ID, Commit hash, and Job ID in a similar fashion. Custom executor users are starting to use API calls back to the server to provide business logic and security. This becomes impossible these identifiers can be modified by developers.
Proposal
Category | Task |
---|---|
GitLab CI Job Payload | Make the GitLab CI job payload (which can't be overridden) available to the Custom Executor driver. (Job payload = JSON response sent for /api/v4/jobs/request) |
GitLab Runner API | Extend the GitLab Runner API to send information about GitLab User within JobInfo struct separately from sending it also as the GITLAB_USER_NAME variable. With this change, even if the user overwrites GITLAB_USER_NAME within job's variables:, the job payload will still contain the value that GitLab holds for this job. |
Not doing
- We aren't adding code to prevent environment variables overrides for the custom executor.
Links to related issues and merge requests / references
/cc @tmaczukin