Bitbucket in no-mesh exposes mesh summary endpoint

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Medium
    • 8.2.3, 8.3.2, 8.4.0
    • Affects Version/s: 8.2.0
    • Component/s: Mesh
    • None
    • 1
    • Severity 3 - Minor

      Issue Summary

      Bitbucket with no mesh mode activated doesn't check authentication on the GET request of /rest/api/1.0/migration/mesh/summaries.
      While the mesh is activated, it returns 401 for any non-authenticated requests.

      This is reproducible on Data Center: (yes) / (no)

      Steps to Reproduce

      1. Install Bitbucket 8.x without configuring mesh
      2. Make GET request for endpoint: GET /rest/api/1.0/migration/mesh/summaries 
         curl -H 'Accept: application/json' -H 'Content-Type: application/json' -X GET http://localhost:7990/rest/api/1.0/migration/mesh/summaries -d '{"start": 1}'

      Expected Results

      Bitbucket responds:

      HTTP 401
{"errors":[{"context":null,"message":"You are not permitted to access this resource","exceptionName":"com.atlassian.bitbucket.AuthorisationException"}]}

      Actual Results

      Bitbucket responds:

      HTTP 200
{"size":0,"limit":25,"isLastPage":true,"values":[],"start":0}

      Workaround

      Using the reverse proxy or load balancer disables the access to the impacted access point from all external IPs.

            Assignee:
            Ben Humphreys
            Reporter:
            myles
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: