severe security issues in docker container
The file permissions in the container are way too open as all those files are writable by everyone:
root@94c66ed3d82f:/repomaker# ls -la
total 92
drwxr-xr-x. 7 root root 108 Nov 19 2020 .
drwxr-xr-x. 22 root root 12 May 22 13:38 ..
-rw-rw-rw-. 1 root root 201 Nov 19 2020 .dockerignore
-rw-rw-rw-. 1 root root 80 Nov 19 2020 .weblate
-rw-rw-rw-. 1 root root 639 Nov 19 2020 CHANGELOG.md
-rw-rw-rw-. 1 root root 2266 Nov 19 2020 Dockerfile
-rw-rw-rw-. 1 root root 34520 Nov 19 2020 LICENSE
-rw-rw-rw-. 1 root root 1996 Nov 19 2020 Vagrantfile
drwxr-xr-x. 2 root root 56 Nov 19 2020 debian
drwxrwxrwx. 2 root root 230 Nov 19 2020 docker
-rwxrwxrwx. 1 root root 291 Nov 19 2020 httpd-foreground
-rwxrwxrwx. 1 root root 808 Nov 19 2020 manage.py
drwxr-xr-x. 6 root root 184 Nov 19 2020 node_modules
-rw-r--r--. 1 root root 1186 Nov 19 2020 package-lock.json
-rw-rw-rw-. 1 root root 344 Nov 19 2020 package.json
-rwxrwxrwx. 1 root root 1752 Nov 19 2020 pre-release.sh
drwxrwxrwx. 11 root root 92 Nov 19 2020 repomaker
drwxr-xr-x. 7 root root 124 Nov 19 2020 repomaker-static
-rw-rw-rw-. 1 root root 43 Nov 19 2020 requirements-dev.txt
-rw-rw-rw-. 1 root root 39 Nov 19 2020 requirements-gui.txt
-rw-rw-rw-. 1 root root 330 Nov 19 2020 requirements.txt
-rwxrwxrwx. 1 root root 1378 Nov 19 2020 wait-for
root@94c66ed3d82f:/repomaker# This file mask issue is due to a "works as poorly designed!" problem in gitlab-ci that the project is checked out with chmod 666 instead of a more reasonable 644 and that permission is then copied over into the container because the pipeline. As seen in gitlab-org/gitlab-runner#4187 (closed) and gitlab-org/gitlab-runner#1736 (closed) the problem is likely getting fixed with 13.7 after just 2 years of development.
Not having the binaries of a running process writable is key to avoid privilege escalation even in the container world, and especially for tools that distribute software, we should probably do chmod instead of waiting for the new runner version.