Allow `local` provision only with the `--feeling-safe` option

teemtee / tmt

Test Management Tool

MIT License

81 stars 122 forks source link

Allow `local` provision only with the `--feeling-safe` option #3027

Closed psss closed 2 months ago

psss commented 3 months ago

In order to make the tmt run command always safe to execute, even when entering an unkown repository, we should refuse to execute plan with provision --how local to prevent executing arbitrary code on user laptop.

As some users might already use this in their automation the decision from the hacking session is to start showing a warning since 1.35 and refuse to execute such plans in later tmt version. Let's give it roughly three months and add a hard stop in 1.38 or so?

In addition to the command line option, environment variable TMT_FEELING_SAFE should be implemented to allow users to enable this behaviour by default. This should probably include a warning, as such setting might be dangerous.

Would it make sense to also implement something like --feeling-paranoid which would override the environment variable above (or future user configuration), in order to make tmt run command safe regardless the environment or config?

LecrisUT commented 3 months ago

In addition to the command line option, environment variable TMT_FEELING_SAFE should be implemented to allow users to enable this behaviour by default. This should probably include a warning, as such setting might be dangerous.

Not sure about the warning part, e.g. if it's run in a CI environment.

Would it make sense to also implement something like --feeling-paranoid which would override the environment variable above (or future user configuration), in order to make tmt run command safe regardless the environment or config?

Lol, that would be fun :+1:

happz commented 3 months ago

Would it make sense to also implement something like --feeling-paranoid which would override the environment variable above (or future user configuration), in order to make tmt run command safe regardless the environment or config?

Lol, that would be fun 👍

Having a kill switch like this would be nice, exactly for CI systems: when set, no matter what the user sets in plans or environment, unsafe actions would remain disabled.

thrix commented 3 months ago

Yes, I agree in CI we would set the paranoid flag

psss commented 3 months ago

In addition to the command line option, environment variable TMT_FEELING_SAFE should be implemented to allow users to enable this behaviour by default. This should probably include a warning, as such setting might be dangerous.

Not sure about the warning part, e.g. if it's run in a CI environment.

Ah, probably just a wrong wording on my side? I meant that the description of the newly added environment variable TMT_FEELING_SAFE should include a warning that setting this option in user environemnt means enabling the possible unsafe behaviour by default and can be dangerous. Does that make sense?