Closed duanecawthron closed 10 years ago
I did this because of hook executable always launched from a stash system user, so anyone can just create private repo and write something terrible like rm -rf ../
and get all repos deleted. So, I've decided to restrict this field only to a Stash Admin, but you can edit Positional Parameters as Project Admin. So if you want to some different configuration in different repos, you should ask Stash Admin to create script that behaves in different ways with different input arguments.
I have no idea of better way to resolve this security issue, but if you have some, you're welcome!
I understand your concern. Thank you for the quick response.
I seem to be able to add any script or executable as a repo admin. I thought that Stash Admin would mean a global role like Admin or System Admin.
@mjbros: you actually should be System Admin, not repo admin. You can specifiy executable only with [x] safe path option turned on.
Hi, thanks for the hook. It's great. When I first started using it I could configure the hook as project Admin. Now, it will not let me configure the Executable and Positional Parameters of the External Post Receive Hook. It says, "You should be Stash Administrator to edit this field." Is that what you intended? It seems too restrictive to me.