Details
-
Bug
-
Resolution: Fixed
-
Medium
-
6.4.1, 6.7.1
-
None
-
Severity 2 - Major
-
Description
This affected Bitbucket Cloud (bitbucket.org) Webhooks to HTTP (not HTTPS) Bamboo instances but this has been fixed on the Bitbucket side and is no longer occurring.
Bamboo will use the X-Forwarded-For field in thew Http header to determine who is sending a remote trigger. If the incoming request has been forwarded through a proxy then the X-Forwarded-For field may contain an "unknown" IP.
"unknown" is a valid value in the proposed RFC for the X-Forwarded-For replacement header, "Forwarded":
Unfortunately, the Bamboo code assumes that the field contains IP addresses and will reject the "unknown" entry with the following exception as a response.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><status><status-code>500</status-code><message>'unknown' is not an IP string literal.</message><stack-trace>java.lang.IllegalArgumentException: 'unknown' is not an IP string literal. at com.google.common.net.InetAddresses.forString(InetAddresses.java:153) at com.atlassian.bamboo.trigger.remote.RemoteTriggerIpHandling.isCidrMatching(RemoteTriggerIpHandling.java:86) at com.atlassian.bamboo.trigger.remote.RemoteTriggerIpHandling.ipMatchesHost(RemoteTriggerIpHandling.java:74) at com.atlassian.bamboo.trigger.remote.RemoteTriggerIpHandling.lambda$whiteListEntryMatchesIp$1(RemoteTriggerIpHandling.java:135) at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90) at java.util.Spliterators$IteratorSpliterator.tryAdvance(Spliterators.java:1812) at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126) at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498) at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485) at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230) at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196) at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:449) at com.atlassian.bamboo.trigger.remote.RemoteTriggerIpHandling.lambda$areAllIpsAllowed$0(RemoteTriggerIpHandling.java:125) at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90) at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1351) at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126) at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498) at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485) at java.util.stream.AbstractPipeline.wrapAndCopyI
The comparison code in the bamboo.remote.trigger plugin should not error when encountering an "unknown" IP address, though, a message in the logs would help with trouble shooting.
Workaround
Option 1
Until a fix, you could also convert your triggers to Repository Polling instead of Remote Trigger at Plan Configuration >> Triggers to get some automated triggering happening again.
Triggers can be bulk replaced at Bamboo Administration > Bulk Action > Replace triggers
Option 2
Secure Bamboo using SSL. HTTPS endpoints for the webhook are unaffected by this due to the proxying done by Bitbucket Cloud:
Your Bamboo Base URL will need to be updated with the new HTTPS address and each Bitbucket Cloud webhook will need to point to the new address.
Option 3
If SSL is not an option, use a HTTP reverse proxy in between the source and the Bamboo server that sets the X-Forwarded-For field to only contain IP addresses. E.g. The proxy_set_header directive in Nginx:
- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
... proxy_set_header X-Forwarded-For $remote_addr; ...
Attachments
Issue Links
- relates to
-
EDGE-816 Loading...