Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-9200

Security: remember-ok-to-test: false is not respected on new commits after an initial /ok-to-test approval

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Pipelines as Code
    • None
    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Before this update, when `remember-ok-to-test` was set to `false`, a single `/ok-to-test` approval on a pull request from an unauthorized user was incorrectly "remembered" for all subsequent commits pushed to that same PR. This has been fixed by ensuring that permissions are re-evaluated on every new commit, correctly halting CI and requiring a new `/ok-to-test` for each change as intended.
      Show
      Before this update, when `remember-ok-to-test` was set to `false`, a single `/ok-to-test` approval on a pull request from an unauthorized user was incorrectly "remembered" for all subsequent commits pushed to that same PR. This has been fixed by ensuring that permissions are re-evaluated on every new commit, correctly halting CI and requiring a new `/ok-to-test` for each change as intended.
    • Bug Fix
    • Done
    • Pipelines Sprint CrookShank 41, Pipelines Sprint CrookShank 42

      Problem Statement: The Pipelines-as-Code controller incorrectly bypasses permission checks for new commits on a pull request if a previous commit on that same PR was manually approved with /ok-to-test. This behavior occurs even when the remember-ok-to-test setting is explicitly set to false, creating a security vulnerability where unauthorized code can be executed repeatedly after only a single approval.

      The remember-ok-to-test: false setting is designed to enforce that every new commit from an unauthorized user must be manually approved. The current bug effectively makes the /ok-to-test command "sticky" for the life of the pull request, regardless of the setting.

      Environment:

      • Pipelines-as-Code (PaC)
      • Git Provider: GitLab
      • PaC Configuration: The remember-ok-to-test setting is set to false in the pipelines-as-code ConfigMap.

       

      Steps to Reproduce

       

      1. Ensure the remember-ok-to-test setting is explicitly set to false in the PaC ConfigMap.
      1. Have an unauthorized user (e.G., a first-time contributor from a fork, a user not in the OWNERS file) open a new Pull Request with a single commit (Commit A).
      1. Observe (Correct): PaC identifies the user as unauthorized and posts a comment stating that CI is halted and requires an admin to comment /ok-to-test.
      1. A repository admin (a user with write/admin permissions) reviews Commit A and posts an /ok-to-test comment.
      1. Observe (Correct): PaC runs the CI for Commit A.
      1. The unauthorized user pushes a new commit (Commit B) to the same pull request.
      1. Observe (The Bug): PaC immediately triggers the CI for Commit B. It bypasses the permission check.

       

      Expected Result

      At Step 7, when the unauthorized user pushes Commit B, the PaC controller should re-evaluate permissions for this new commit. Because remember-ok-to-test: false, it should again identify the user as unauthorized and halt CI execution. A new comment should be posted stating that admin approval (another /ok-to-test) is required for the new changes.

       

      Actual Result

      At Step 7, PaC immediately runs the CI for Commit B without requiring a new /ok-to-test. The remember-ok-to-test: false setting is ignored, and the initial approval is incorrectly "remembered" for all subsequent commits on the PR.

              rh-ee-zashaikh Zaki Shaikh
              rh-ee-zashaikh Zaki Shaikh
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: