Google Git
Sign in
chromium / infra / luci / luci-go / 6a48964ed488db0992aea5ddc395142a6d02dadf
commit6a48964ed488db0992aea5ddc395142a6d02dadf[log] [tgz]
authorRobert Iannucci <iannucci@chromium.org>Tue Mar 22 22:54:52 2022
committerLUCI CQ <infra-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue Mar 22 22:54:52 2022
tree8c964cf1727713647a93b35e0aed6ec4d27469f0
parentd6713f017089ba3e3260fd897244f03c84cf803f [diff]
[buildbucket] Add configuration option to explicitly permit overriding properties.

Not yet enforced; The plan is to:
1. Land and deploy this change
2. Propose CLs to all Builders which currently accept ScheduleBuild requests with
   property overrides which intersect with the Builder's defined properties.
3. Start enforcing this setting.

The intent is to make it so that Builders which allow users to overwrite properties
explicitly indicate which properties are allowed to be overridden.

This will allow the definition of secure builders which don't permit sensitive
properties like 'recipe' to be overwritten, for potential exploit.

R=vadimsh

Bug: 1306248
Change-Id: I20b5018cc0bc77a1f413592ceaecb3f51b37a1c9
Reviewed-on: https://chromium-review.googlesource.com/c/infra/luci/luci-go/+/3537445
Commit-Queue: Robbie Iannucci <iannucci@chromium.org>
Reviewed-by: Chan Li <chanli@chromium.org>
Reviewed-by: Vadim Shtayura <vadimsh@chromium.org>
14 files changed
tree: 8c964cf1727713647a93b35e0aed6ec4d27469f0
  1. appengine/
  2. auth/
  3. auth_service/
  4. build/
  5. buildbucket/
  6. casviewer/
  7. cipd/
  8. client/
  9. cmdrunner/
  10. common/
  11. config/
  12. cv/
  13. deploy/
  14. dm/
  15. examples/
  16. gae/
  17. gce/
  18. grpc/
  19. hacks/
  20. hardcoded/
  21. led/
  22. logdog/
  23. luci_notify/
  24. lucicfg/
  25. lucictx/
  26. luciexe/
  27. machine-db/
  28. mailer/
  29. milo/
  30. mmutex/
  31. provenance/
  32. resultdb/
  33. scheduler/
  34. scripts/
  35. server/
  36. starlark/
  37. swarming/
  38. tokenserver/
  39. tools/
  40. tumble/
  41. vpython/
  42. web/
  43. .gitallowed
  44. .gitattributes
  45. .golangci.yml
  46. AUTHORS
  47. codereview.settings
  48. CONTRIBUTING.md
  49. CONTRIBUTORS
  50. go.mod
  51. go.sum
  52. LICENSE
  53. OWNERS
  54. PRESUBMIT.py
  55. README.md
  56. tools.go
  57. WATCHLISTS
README.md

luci-go: LUCI services and tools in Go

GoDoc

Installing

LUCI Go code is meant to be worked on from an Chromium infra.git checkout, which enforces packages versions and Go toolchain version. First get fetch via depot_tools.git then run:

fetch infra
cd infra/go
eval `./env.py`
cd src/go.chromium.org/luci

Contributing

Contributing uses the same flow as Chromium contributions.