Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • S sysadmin
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 95
    • Issues 95
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • tails
  • sysadmin
  • Issues
  • #15402
Closed
Open
Created Mar 13, 2018 by Anonymous@Anonymous

update hook for Main git when handling push from weblate

Originally created by @Anonymous on #15402 (Redmine)

This scripts is the security barrier into maingit. It is triggerd by the bare git hook mechanism.
It is placed inside puppet-tails: files/gitolite/hooks/tails-weblate-update.hook

Envrironment:

  • the script is triggered for every push to tails.git
  • a malicious users try to trick this script
  • the translation-server may be compromised and the weblate user may pushes malicious commits.
  • GL_USER is a environment variable, that is set by gitolite and is safe to rely on and indicates the users that it pushing.
  • If the script returns with a status code 0 the push is allowed and not 0 if not allowed.
  • Any output to stdout/stderr is allowed but only displayed to the user.

Expected outcome:

  • Weblate need to use “weblate <tails-l10n@boum.org>” as committer “name ” in any case
  • Weblate is ONLY to push po files nothing else in any case.
  • Everything else is not allowed for weblate.
  • For all other users the script should not do anything.

Feature Branch: https://salsa.debian.org/hefee/puppet-tails/tree/bugfix/15402-update-hook-for-weblate-pushes

Attachments

  • test-tails-weblate-update

Parent Task: #15082 (closed)

Related issues

  • Related to tails#15185 (closed)
  • Related to #15401 (closed)
  • Related to tails#16760 (closed)
  • Related to tails#16761
  • Blocks #16712 (closed)
Edited May 21, 2020 by Anonymous
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking