Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security review: use the untrusted flow when buildpacks are added to a trusted builder #2221

Closed
1 task
natalieparellano opened this issue Apr 23, 2024 · 0 comments · Fixed by buildpacks/pack-private#30
Closed
1 task

Security review: use the untrusted flow when buildpacks are added to a trusted builder #2221

natalieparellano opened this issue Apr 23, 2024 · 0 comments · Fixed by buildpacks/pack-private#30
Assignees
@natalieparellano

Comments

@natalieparellano
Copy link
Member

Description

This came up during the security review. pack build <trusted-builder> --buildpack <untrusted-buildpack> would allow a malicious buildpack to run in the same container as registry credentials and/or the docker socket.

Proposed solution

If any buildpacks are added (via --buildpack, --extension or project.toml) we should use the untrusted (5 phases) flow. We should probably make an exception for inline buildpacks as these are added directly by the developer.

Describe alternatives you've considered

Additional context

  • This feature should be documented somewhere
natalieparellano referenced this issue in buildpacks/pack-private May 2, 2024
@natalieparellano
Use the untrusted flow when buildpacks are added to a trusted builder
1ab72dd 
Fixes https://github.com/buildpacks/pack-private/issues/21

Signed-off-by: Natalie Arellano <narellano@vmware.com>
@natalieparellano natalieparellano mentioned this issue May 2, 2024
Merged
@natalieparellano natalieparellano self-assigned this Jul 1, 2024
@natalieparellano natalieparellano transferred this issue from buildpacks/pack-private Jul 17, 2024
@natalieparellano natalieparellano mentioned this issue Jul 17, 2024
Closed
1 task
@edmorley edmorley mentioned this issue Jul 18, 2024
Closed
@edmorley edmorley mentioned this issue Aug 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@natalieparellano natalieparellano

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use the untrusted flow when buildpacks are added to a trusted builder buildpacks/pack-private
1 participant
@natalieparellano