Uploaded image for project: 'Bitbucket Cloud'
  1. Bitbucket Cloud
  2. BCLOUD-17232

Limit what environment variables get used in a Docker container/BP step

    XMLWordPrintable

    Details

    • Feedback Policy:

      Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Description

      Hello!

      I have a question/concern regarding the use of SSH keys in BP. Here's the scenario:

      Suppose that when a pipeline runs and all my tests within have passed, I like to tag the associated commit in Bitbucket. Naturally, this means my Docker container has to have a private key written to it, which is not a problem. I use the suggested technique of having an environment variable store the obfuscated key, then:

      umask 077 - echo $MY_SSH_KEY | base64 --decode > ~/.ssh/id_rsa

      So, no problem there. I now have the ability to push back to my repo. Great. But, here's the issue:

      Now suppose I allow people to fork and make PRs. If I merge in an outside party's PR (after a review, obviously), I risk having malicious code in my repo. This code could, say, send all the environment variables in the Docker container within a unit test. So, some outside party could get my SSH key.

      QUESTION:

      • is there a way to limit what environment variables make it to what BP steps
      • if not, could this be an included feature...or...
      • maybe I'm on the wrong track all together?

      Actually, one thing I just realized I could do is:

      • break the pipeline up into steps that have share a built artifact
      • in the step that does the test and build, the first line would be to erase the environment variable
      • the step that does the tagging would do the id_rsa write above (instead of erasing the environment variable)

      Did I just solve my own problem?

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            ryan.bannon ryanbannon
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: