Skip to content

Commit

Permalink
fix(CI): don't allow untrusted commands when uploading
Browse files Browse the repository at this point in the history
  • Loading branch information
Joshua Anderson committed Jul 28, 2016
1 parent c655ea0 commit 95ac550
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 18 deletions.
29 changes: 22 additions & 7 deletions Jenkinsfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
def workpath_linux = "/src/github.com/deis/workflow-cli"
def keyfile = "tmp/key.json"

def getBasePath = { String filepath ->
def filename = filepath.lastIndexOf(File.separator)
Expand All @@ -15,11 +14,27 @@ def make = { String target ->
}
}

def upload_artifacts = { String filepath ->
def gcs_cleanup_cmd = "sh -c 'rm -rf /.config/*'"
def gcs_bucket = "gs://workflow-cli"
def gcs_key = "tmp/key.json"

def gcs_cmd = { String cmd ->
gcs_cmd = "docker run --rm -v ${pwd()}/tmp:/.config -v ${pwd()}/_dist:/upload google/cloud-sdk:latest "
try {
sh(gcs_cmd + cmd)
} catch(error) {
sh(gcs_cmd + gcs_cleanup_cmd)
false
}
}

def upload_artifacts = {
withCredentials([[$class: 'FileBinding', credentialsId: 'e80fd033-dd76-4d96-be79-6c272726fb82', variable: 'GCSKEY']]) {
sh "mkdir -p ${getBasePath(filepath)}"
sh "cat \"\${GCSKEY}\" > ${filepath}"
make 'upload-gcs'
sh "mkdir -p ${getBasePath(gcs_key)}"
sh "cat \"\${GCSKEY}\" > ${gcs_key}"
gcs_cmd 'gcloud auth activate-service-account -q --key-file /.config/key.json'
gcs_cmd 'gsutil -mq cp -a public-read -r /upload/* ${gcs_bucket}'
gcs_cmd gcs_cleanup_cmd
}
}

Expand Down Expand Up @@ -113,7 +128,7 @@ parallel(
env.VERSION = git_commit.take(7)
make 'build-revision'

upload_artifacts(keyfile)
upload_artifacts()
}
}
},
Expand All @@ -129,7 +144,7 @@ parallel(
make 'bootstrap'
make 'build-latest'

upload_artifacts(keyfile)
upload_artifacts()
} else {
echo "Skipping build of latest artifacts because this build is not on the master branch (branch: ${git_branch})"
}
Expand Down
11 changes: 0 additions & 11 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,6 @@ DEV_ENV_PREFIX_CGO_ENABLED := docker run --rm -e CGO_ENABLED=1 -v ${CURDIR}:${DE
DEV_ENV_CMD := ${DEV_ENV_PREFIX} ${DEV_ENV_IMAGE}
DIST_DIR := _dist

GSUTIL_IMAGE := google/cloud-sdk:latest
GSUTIL_PREFIX := docker run --rm -v ${CURDIR}/tmp:/.config -v ${CURDIR}/${DIST_DIR}:/upload
GSUTIL_CMD := ${GSUTIL_PREFIX} ${GSUTIL_IMAGE}
GCS_BUCKET ?= "gs://workflow-cli"

GO_FILES = $(wildcard *.go)
GO_LDFLAGS = -ldflags "-s -X ${repo_path}/version.BuildVersion=${VERSION}"
GO_PACKAGES = cmd parser cli $(wildcard pkg/*)
Expand Down Expand Up @@ -105,12 +100,6 @@ test-style:
test-unit:
${DEV_ENV_PREFIX_CGO_ENABLED} ${DEV_ENV_IMAGE} sh -c '${GOTEST} $$(glide nv)'

upload-gcs:
${GSUTIL_CMD} sh -c 'gcloud auth activate-service-account -q --key-file /.config/key.json'
${GSUTIL_CMD} sh -c 'gsutil -mq cp -a public-read -r /upload/* ${GCS_BUCKET}'
# This has to run in the container to delete files created by the container
${GSUTIL_CMD} sh -c 'rm -rf /.config/*'

# Set local user as owner for files
fileperms:
${DEV_ENV_PREFIX_CGO_ENABLED} ${DEV_ENV_IMAGE} chown -R ${UID}:${GID} .

0 comments on commit 95ac550

Please sign in to comment.