Details
-
Bug
-
Resolution: Duplicate
-
High
Description
Hello,
This issue is in regards to the new feature in BP that allows pushes back up to a repository without the need for authentication. I believe this creates a big security hole in what was (before this feature was introduced) a more secure system.
For example, consider a CI workflow where developers merge in PRs from outside developers. Aside from code reviews (which are subject to human error), there would be nothing stopping a malicious outside developer from writing a script that pushes code back up to the repository. Perhaps this could be prevented by locking down the repository with branch permissions (i.e. only allow code in via a PR merge), but then BP cannot use a bot account to do automated pushes.
It seems to me that the old system – base64 encoding an SSH key – while slightly inconvenient, was very secure. With the new HTTP pushing feature, that security is lost for a minor gain in convenience.
If I'm missing something here, I'd REALLY like to know what, because from my POV this is a big step backwards.
For reference, please see https://community.atlassian.com/t5/Bitbucket-Pipelines-articles/Pushing-back-to-your-repository/ba-p/958407?utm_campaign=mentions_comment&utm_content=topic&utm_medium=email&utm_source=atlcomm
(I have made several comments in the thread regarding this security hole. In particular, I was requesting further discussion, but got no response. I'm hoping raising the issue here will help.)
Thanks,
Ryan