Details
-
Bug
-
Resolution: Fixed
-
Medium
-
7.4.0
-
2
-
Severity 3 - Minor
-
21
-
Description
Adding a trail "%27" at the commits page URL in Bitbucket causes the application to output the error below.
This error is improper error handling as it shows the path to the git executable in the server as well as it exceeds the limits of the error page and does not give a clear message about what is the cause of the failure.
Accordingly to best practices on error handling and security:
Physical paths, versioning information, contents of stack traces and other data can be gathered and used to help further an attack. Applications should always fail safe. If an application fails to an unknown state, it is likely that an attacker may be able to exploit this indeterminate state to access unauthorized functionality, or worse create, modify or destroy data. Error messages may also aid in the identification of other attacks such as buffer overflows and SQL injection.
How to reproduce it
Web browser
- Navigate to the following page on the browser
<BITBUCKET_BASE_URL>/projects/<project>/repos/<repo>/commits/ - Add encoded single quote (%27) at the end
REST request with bad commit hash
We can achieve the same results by running the GET to the commits endpoint
GET /rest/api/1.0/projects/<project>/repos/<repository>/commits/1%27
{ "errors": [ { "context": null, "message": "'/usr/bin/git rev-list --format=%H%x02%P%x02%aN%x02%aE%x02%at%x02%cN%x02%cE%x02%ct%n%B%n%x03END%x04 --no-walk=unsorted 1(') 1(')^@ --' exited with code 128 saying: fatal: bad revision '1(')'", "exceptionName": "com.atlassian.bitbucket.scm.CommandFailedException" } ] }
REST request with empty commit hash and path parameter
GET request on: BITBUCKET_BASE_URL/rest/api/1.0/projects/{TEST}/repos/{test}/commits with parameters {"path": "test_string'"}
Suggested solution.
Improve error handling on this page and endpoint, removing the path and providing a meaningful message about the cause of the error.
Attachments
Issue Links
- is duplicated by
-
BSERV-12737 Parameter "path" causes "500 Internal Server Error" on Commits REST endpoint
- Closed
- mentioned in
-
Page Loading...