-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: commander: Add environment_variables endpoint #1467
Conversation
f42168b
to
9526efc
Compare
Signed-off-by: Patrick José Pereira <patrickelectric@gmail.com>
9526efc
to
0d4a63b
Compare
I wonder if these could be used to expose things we dont want exposed, such as CI variables |
You already have access to it via the terminal |
I believe the env variables set for creating the docker (like docker hub keys) wouldn't be accessible from inside the docker if we don't deliberately pass them with |
I may be misunderstanding this, but given we can run |
Yes, but my point was that we have a tool inside the docker that allows you to access the outside, so from a security standpoint anything we can access via the web terminal that doesn't require putting in a password is also accessible to an arbitrary program running in the docker. |
I agree, and that security hole has existed since we added the commander ( |
I was actually thinking of CI, where our dockerhub credentials were avaialable, but github does require us to allow CI to run for new contributors, and also I think now that is only provided to the deployment action |
Helps #1466