https://docs.docker.com/userguide/dockerlinks/ > Warning: It is important to understand that all environment variables > originating from Docker within a container are made available to any container > that links to it. This could have serious security implications if sensitive > data is stored in them. Yet taskcluster-proxy will accept credentials via env: https://github.com/taskcluster/taskcluster-proxy/blob/master/main.go#L58 taskcluster-vpn-proxy takes vpn configuration in a directory: https://github.com/taskcluster/taskcluster-vpn-proxy/blob/master/Dockerfile#L17 but takes other config via env var. Testdroid-proxy seems to do the right thing (command-line only). At the least, taskcluster-proxy should not accept credentials via env var. Ideally, no proxy should accept any configuration that way.
Summary: Providing credentials to docker-worker proxies is dangerous → Providing credentials to docker-worker proxies via env vars is dangerous
Summary: Providing credentials to docker-worker proxies via env vars is dangerous → docker-worker: Providing credentials to docker-worker proxies via env vars is dangerous
Component: TaskCluster → Docker-Worker
Product: Testing → Taskcluster
Whiteboard: [relsec] → [docker-worker]
Component: Docker-Worker → Worker
I think this was fixed...
Status: NEW → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.