Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Duplicate
Priority: Highest
Component/s: Pipelines - Run Failures
Labels:
- migrated

Bug Fix Policy:
View Atlassian Cloud bug fix policy

Description

Attached to this issue is a bitbucket-pipelines.yml for reference.

As you can see, we use the env vars PROD_AWS_ACCESS_KEY_ID and PROD_AWS_ACCESS_KEY_SECRET, to deploy master branch to our production instance.

However, any developer can change the bitbucket-pipelines.yml and use those env vars for the 'default' pipeline and thus deploy dev code or any other malicious code to the production environment. In fact, this can even happen by accident by a developer editing the file and copy/pasting portions of it to a different step.

There is no way to limit the visibility of these env vars defined in bitbucket project to ensure they are only available while running the master branch pipeline.

This seems to be a huge security issue, allowing any developer to modify the bitbucket-pipelines.yml file and deploy absolutely anything to the production environment.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

bitbucket-pipelines.yml
1 kB
08/Sep/2019 11:38 PM

Activity

People

Assignee:: Unassigned

Reporter:: Prashant Deva

Votes:: 2 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 25/Jun/2018 5:51 PM

Updated:: 08/Sep/2019 11:38 PM

Resolved:: 27/Jun/2018 4:50 AM