Frontend - Proposal: Restrict trigger variables
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
THIS IS THE FRONTEND WORK ONLY FOR #416619 (closed).
Problem
Users are leaking trigger tokens, and we need to address that.
Proposal
Add an alert banner to the trigger token section stating the criticality of trigger tokens and suggesting security measures:
Discussion happening in: #416619 (comment 1693954092)
Old proposal
Trigger Tokens are quite frequently leaked as people assume that the only thing they can do is trigger a pipeline which is, in most cases, a harmless operation.
However, because Pipeline Triggers allow any CI/CD variable to be set they can be more dangerous than one might think.
I propose that we:
-
Add a new option when creating/editing a trigger token: "Only support known CI/CD variables". This will be enabled by default for new tokens, but disabled for existing tokens (as not to break existing triggers). This makes existing CI/CD variables an allowlist of supported variables.
-
Update CI/CD variables so they can be toggled for triggers, further reducing the allowlist to just variables you explicitly want overridden/allowed.
All variables would become triggerable by default (again, to not break existing triggers), but any new variables will default to having this disabled.
-
When triggering a pipeline with a disallowed variable an error will be returned linking to this feature which describes how "triggerable" variables work.
Implementation Table
| header | header |
|---|---|
| Backend | #416619 (closed) |
| Frontend |