Uploaded image for project: 'Bitbucket Cloud'
  1. Bitbucket Cloud
  2. BCLOUD-18228

Bitbucket Pipelines: "Pushing back to your repository" feature introduces security issue

    XMLWordPrintable

    Details

      Description

      Hello,

      This issue is in regards to the new feature in BP that allows pushes back up to a repository without the need for authentication. I believe this creates a big security hole in what was (before this feature was introduced) a more secure system.

      For example, consider a CI workflow where developers merge in PRs from outside developers. Aside from code reviews (which are subject to human error), there would be nothing stopping a malicious outside developer from writing a script that pushes code back up to the repository. Perhaps this could be prevented by locking down the repository with branch permissions (i.e. only allow code in via a PR merge), but then BP cannot use a bot account to do automated pushes.

      It seems to me that the old system – base64 encoding an SSH key – while slightly inconvenient, was very secure. With the new HTTP pushing feature, that security is lost for a minor gain in convenience.

      If I'm missing something here, I'd REALLY like to know what, because from my POV this is a big step backwards.

      For reference, please see https://community.atlassian.com/t5/Bitbucket-Pipelines-articles/Pushing-back-to-your-repository/ba-p/958407?utm_campaign=mentions_comment&utm_content=topic&utm_medium=email&utm_source=atlcomm

      (I have made several comments in the thread regarding this security hole. In particular, I was requesting further discussion, but got no response. I'm hoping raising the issue here will help.)

      Thanks,

      Ryan

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            ryan.bannon ryanbannon
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: