-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security review: use the untrusted flow when buildpacks are added to a trusted builder #2221
Closed
1 task
Comments
natalieparellano
referenced
this issue
in buildpacks/pack-private
May 2, 2024
Fixes https://github.com/buildpacks/pack-private/issues/21 Signed-off-by: Natalie Arellano <narellano@vmware.com>
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
This came up during the security review.
pack build <trusted-builder> --buildpack <untrusted-buildpack>
would allow a malicious buildpack to run in the same container as registry credentials and/or the docker socket.Proposed solution
If any buildpacks are added (via
--buildpack
,--extension
or project.toml) we should use the untrusted (5 phases) flow. We should probably make an exception for inline buildpacks as these are added directly by the developer.Describe alternatives you've considered
Additional context
The text was updated successfully, but these errors were encountered: