Uploaded image for project: 'Bitbucket Cloud'
  1. Bitbucket Cloud
  2. BCLOUD-16579

Huge Security Issue with Environment Variables

    XMLWordPrintable

    Details

      Description

      Attached to this issue is a bitbucket-pipelines.yml for reference.

      As you can see, we use the env vars PROD_AWS_ACCESS_KEY_ID and PROD_AWS_ACCESS_KEY_SECRET, to deploy master branch to our production instance.

      However, any developer can change the bitbucket-pipelines.yml and use those env vars for the 'default' pipeline and thus deploy dev code or any other malicious code to the production environment. In fact, this can even happen by accident by a developer editing the file and copy/pasting portions of it to a different step.

      There is no way to limit the visibility of these env vars defined in bitbucket project to ensure they are only available while running the master branch pipeline.

      This seems to be a huge security issue, allowing any developer to modify the bitbucket-pipelines.yml file and deploy absolutely anything to the production environment.

        Attachments

        1. bitbucket-pipelines.yml
          1 kB
          Prashant Deva

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            prashant2 Prashant Deva
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: