Tekton Pipelines Unanchored Pattern Bypass Vulnerability in Trusted Resources Verification

A vulnerability exists in Tekton Pipelines versions 0.43.0 through 1.11.0, allowing for bypassing trusted resources verification policies. The issue arises because the verification process uses unanchored regular expressions, which can be manipulated by embedding trusted substrings within attacker-controlled source strings. This unintended matching can alter the applied verification modes or keys.

Impact

Exploitation of this vulnerability allows an attacker to manipulate the trusted resources verification process, potentially leading to incorrect verification outcomes and unauthorized changes in the applied verification modes or keys.

Reproduction

The vulnerability can be reproduced by creating a trusted resources verification policy with an unanchored regular expression pattern. An attacker can then craft a source string that includes a substring matching the policy pattern, such as 'https://github.com/tektoncd/catalog.git', and use it in a way that is accepted by the Tekton Pipelines verification process. This can be automated with a provided proof of concept that demonstrates the vulnerability.

Remediation

To address this vulnerability, it is recommended to anchor verification policy resource patterns so that they must match the full source string. For example, patterns can be updated to 'https://github.com/tektoncd/catalog.git'.