Use job response file data to generate task metadata filename (!86) · Merge requests · GitLab.org / Ops Sub-Department / custom-executor-drivers / AWS Fargate driver for Custom Executor

Axel von Bertoldi requested to merge avonbertoldi/36288-job-response-file into master Oct 03, 2023

As described in https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36288, the fargate driver stores task metadata in an insecure manner which makes it possible to hijack jobs and steal secrets.

The preferred approach is to use the keys provided by the job response file to generate the task metadata filename instead of relying on automatic environment variables, which can be clobber by users in the job definition.

the store this sensitive data in the job response file. This is more secure than the existing approach because the value of the `JOB_RESPONSE_FILE Best reviewed commit at a time.

Closes https://gitlab.com/gitlab-org/gitlab-runner/-/issues/36288

Edited Nov 08, 2023 by Axel von Bertoldi

Use job response file data to generate task metadata filename

Merge request reports