Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
S
sysadmin
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 94
    • Issues 94
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • tails
  • sysadmin
  • Issues
  • #15402

Closed
Open
Opened Mar 13, 2018 by Anonymous@Anonymous

update hook for Main git when handling push from weblate

Originally created by @Anonymous on #15402 (Redmine)

This scripts is the security barrier into maingit. It is triggerd by the bare git hook mechanism.
It is placed inside puppet-tails: files/gitolite/hooks/tails-weblate-update.hook

Envrironment:

  • the script is triggered for every push to tails.git
  • a malicious users try to trick this script
  • the translation-server may be compromised and the weblate user may pushes malicious commits.
  • GL_USER is a environment variable, that is set by gitolite and is safe to rely on and indicates the users that it pushing.
  • If the script returns with a status code 0 the push is allowed and not 0 if not allowed.
  • Any output to stdout/stderr is allowed but only displayed to the user.

Expected outcome:

  • Weblate need to use “weblate <tails-l10n@boum.org>” as committer “name ” in any case
  • Weblate is ONLY to push po files nothing else in any case.
  • Everything else is not allowed for weblate.
  • For all other users the script should not do anything.

Feature Branch: https://salsa.debian.org/hefee/puppet-tails/tree/bugfix/15402-update-hook-for-weblate-pushes

Attachments

  • test-tails-weblate-update

Parent Task: #15082 (closed)

Related issues

  • Related to tails#15185 (closed)
  • Related to #15401 (closed)
  • Related to tails#16760 (closed)
  • Related to tails#16761
  • Blocks #16712 (closed)
Edited May 21, 2020 by Anonymous
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Tails_3.15
Milestone
Tails_3.15 (Past due)
Assign milestone
Time tracking
None
Due date
None
Reference: tails/sysadmin#15402