Woodpecker's custom environment variables allow to alter execution flow of plugins

Impact

The server allow to create any user who can trigger a pipeline run malicious workflows:

• Those workflows can either lead to a host takeover that runs the agent executing the workflow.
• Or allow to extract the secrets who would be normally provided to the plugins who’s entrypoint are overwritten.

Patches

https://github.com/woodpecker-ci/woodpecker/pull/3909
https://github.com/woodpecker-ci/woodpecker/pull/3934

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Enable the “gated” repo feature and review each change upfront of running

References

• https://github.com/woodpecker-ci/woodpecker/pull/3909
• https://github.com/woodpecker-ci/woodpecker/pull/3934
• https://github.com/woodpecker-ci/woodpecker-security/issues/10 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3929)
• https://github.com/woodpecker-ci/woodpecker/issues/3929 (info will be published later once we got adoption of the update)

Credits

• Daniel Kilimnik @D_K_Dev (Neodyme AG)
• Felipe Custodio Romero @localo (Neodyme AG)