Woodpecker's custom workspace allow to overwrite plugin entrypoint executable

Impact

The server allow to create any user who can trigger a pipeline run malicious workflows:

• Those workflows can either lead to a host takeover that runs the agent executing the workflow.
• Or allow to extract the secrets who would be normally provided to the plugins who’s entrypoint are overwritten.

Patches

https://github.com/woodpecker-ci/woodpecker/pull/3933

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Enable the “gated” repo feature and review each change upfront

References

• https://github.com/woodpecker-ci/woodpecker/pull/3933
• https://github.com/woodpecker-ci/woodpecker-security/pull/11
• https://github.com/woodpecker-ci/woodpecker-security/issues/8 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3924)
• https://github.com/woodpecker-ci/woodpecker-security/issues/9 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3924)
• https://github.com/woodpecker-ci/woodpecker/issues/3924 (info will be published later once we got adoption of the update)

Credits

• Daniel Kilimnik @D_K_Dev (Neodyme AG)
• Felipe Custodio Romero @localo (Neodyme AG)