Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-11963

Plugins can access Bitbucket's internal DMZ API

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 6.0.0
    • Fix Version/s: 6.7.0, 6.6.1
    • Component/s: API - Java
    • Labels:
      None

      Description

      Issue Summary

      Bitbucket Server's DMZ API (introduced in 6.0.0) is for internal use only and was not intended to be available to third party apps. Ability to OSGi import com.atlassian.bitbucket.dmz needs to be prevented just like other internal API.

      Steps to Reproduce

      In a P2 plugin import and use something from the com.atlassian.bitbucket.dmz namespace, such as the DmzStorageService.

      Expected Results

      The DmzStorageService should not be accessible, its functionality is even documented in the API changelog as being unavailable:

      Removal of direct access to repositories on disk

      In Bitbucket Server 5.10 direct access to the Bitbucket managed repositories on disk for plugins was deprecated. In 6.0 the deprecated API that permitted this has been removed. For further information please refer to the changelog entry for 5.10.

      Actual Results

      Plugin can use the DmzStorageService and other internal classes in the com.atlassian.bitbucket.dmz namespace.

      Workaround

      Plugins can be updated to not utilise com.atlassian.bitbucket.dmz

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              behumphreys Ben Humphreys
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: