Backend - Proposal: Restrict trigger variables
Problem
Users are leaking trigger tokens, and that has serious downsides that need to be addressed.
Proposal
Trigger Tokens are quite frequently leaked as people assume that the only thing they can do is trigger a pipeline which is, in most cases, a harmless operation.
Old proposal
Trigger Tokens are quite frequently leaked as people assume that the only thing they can do is trigger a pipeline which is, in most cases, a harmless operation.
However, because Pipeline Triggers allow any CI/CD variable to be set they can be more dangerous than one might think.
I propose that we:
-
Add a new option when creating/editing a trigger token: "Only support known CI/CD variables". This will be enabled by default for new tokens, but disabled for existing tokens (as not to break existing triggers). This makes existing CI/CD variables an allowlist of supported variables.
-
Update CI/CD variables so they can be toggled for triggers, further reducing the allowlist to just variables you explicitly want overridden/allowed.
All variables would become triggerable by default (again, to not break existing triggers), but any new variables will default to having this disabled.
-
When triggering a pipeline with a disallowed variable an error will be returned linking to this feature which describes how "triggerable" variables work.
Implementation Table
| header | header |
|---|---|
| Backend | |
| Frontend | #424688 |
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.