[BCLOUD-22436] Download repository archives with repository access tokens

Type: Suggestion
Resolution: Unresolved
Component/s: Repository - Security Tab
Labels:
None

Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

Problem Definition

The archives on the Downloads page of the repo can be downloaded programmatically with basic authentication, as follows

curl -u BB_Username:BB_AppPassword https://bitbucket.org/<workspace-id>/<repo-slug>/get/1.0.zip -o 1.0.zip

However, this is not currently possible with a Repository access token. If someone is writing a script to download an archive, and that script can be accessed by other users as well, then their app password gets exposed to other users.

Workaround

A Git command can be used to clone the repo. If an archive of a certain tag or branch is needed, then the following command can be used to clone a specific tag or branch

git clone --depth 1 --branch <branch_or_tag> https://x-token-auth@bitbucket.org/<workspace-id>/<repo-slug>.git

<branch_or_tag> can be either a branch name or a tag name.
--depth 1 is optional. If we only need the source code, then it may not be useful to clone the whole history.

If only the source code files are needed and not the history, then the .git folder inside the repo can be deleted after the clone.

relates to

BCLOUD-22513 Allow using RATs or WATs to a download repository archive

Gathering Interest

BCLOUD-23289 Download repository archives in a Forge app

Gathering Interest

Andrew Clark added a comment - 06/Nov/2023 5:06 PM

Are credentials exposed if used in repository / workspace variables and referenced in the script with $PASSWORD?

Andrew Clark added a comment - 06/Nov/2023 5:06 PM Are credentials exposed if used in repository / workspace variables and referenced in the script with $PASSWORD?

Christophe Faribault added a comment - 12/May/2023 9:42 PM - edited

Same goes for files under "Downloads" like:

https://api.bitbucket.org/2.0/repositories/<owner>/<repo>/downloads/file.yml

This would be very useful for automated build/release where software builds are pushed to the repo.

Christophe Faribault added a comment - 12/May/2023 9:42 PM - edited Same goes for files under "Downloads" like: https: //api.bitbucket.org/2.0/repositories/<owner>/<repo>/downloads/file.yml This would be very useful for automated build/release where software builds are pushed to the repo.

Assignee:: Unassigned

Reporter:: Theodora Boudale

Votes:: 14 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 31/Jan/2023 10:36 AM

Updated:: 24/Jun/2024 6:35 AM

Details

Description

Problem Definition

Suggested Solution

Workaround

Attachments

Issue Links

Forms

Activity

Collapse comment: Andrew Clark added a comment - 06/Nov/2023 5:06 PM

Expand comment: Andrew Clark added a comment - 06/Nov/2023 5:06 PM

Collapse comment: Christophe Faribault added a comment - 12/May/2023 9:42 PM, Edited by Christophe Faribault - 12/May/2023 9:43 PM

Expand comment: Christophe Faribault added a comment - 12/May/2023 9:42 PM, Edited by Christophe Faribault - 12/May/2023 9:43 PM

People

Dates