-
Bug
-
Resolution: Fixed
-
Low
-
8.19.11, 8.9.21, 9.3.1
-
Severity 3 - Minor
-
Issue Summary
This is reproducible on Data Center: Yes
According to the documentation, HTTP Access Tokens are designed to allow authentication for REST URLs and for Git hosting requests over HTTP, but they can be used to access URLs other than these too. This shouldn't be possible.
Steps to Reproduce
- Create an HTTP Access token with REPO_READ permissions for a given repository
- Access a non-REST or Git hosting request using this token for authentication. One such example is a non-REST endpoint for retrieving the raw content of a file, $BASE_URL/projects/<project_key>/repos/<repo_slug>/raw/file.txt
Expected Results
The call isn't successful. Response status code varies depending on how the Access token is used for authentication:
- If the token is used in Bearer Authentication, a 302: FOUND is returned
- If the token is used in Basic Authentication, a 401: UNAUTHORIZED is returned, and repeated requests will eventually trigger Captcha as the system attempts to protect itself from bad actors.
Actual Results
The call is successful and in this case, the content of the file is returned.
Workaround
Access tokens are not meant to be used for non-REST or Git requests, so use a supported REST API or a Git request instead.
In this case, the supported REST API to retrieve the content of the file would be
$BASE_URL/rest/api/latest/projects/<project_key>/repos/<repo_slug>/raw/file.txt
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
[BSERV-19859] Access Tokens can be used to access endpoints that they shouldn't be allowed to
| Remote Link | Original: This issue links to "Page (Atlassian Documentation)" [ 989504 ] |
| Remote Link | Original: This issue links to "Page (Atlassian Documentation)" [ 989505 ] |
| Remote Link | Original: This issue links to "Page (Atlassian Documentation)" [ 989310 ] |
| Remote Link | New: This issue links to "Page (Atlassian Documentation)" [ 989505 ] |
| Remote Link | New: This issue links to "Page (Atlassian Documentation)" [ 989504 ] |
| Remote Link | New: This issue links to "Page (Atlassian Documentation)" [ 989310 ] |
| Remote Link | New: This issue links to "PS-178466 (Atlassian Support System)" [ 988206 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 987899 ] |
| Remote Link | New: This issue links to "Page (Atlassian Documentation)" [ 988071 ] |
| Description |
Original:
h3. Issue Summary
This is reproducible on Data Center: Yes According to [the documentation|https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html], HTTP Access Tokens are designed to allow authentication for REST URLs and for Git hosting requests over HTTP, but they can be used to access URLs other than these too. This shouldn't be possible. h3. Steps to Reproduce # Create an HTTP Access token with REPO_READ permissions for a given repository # Access a non-REST or Git hosting request using this token for authentication. One such example is a non-REST endpoint for retrieving the raw content of a file, {{$BASE_URL/projects/<project_key>/repos/<repo_slug>/raw/file.txt}} h3. Expected Results The call isn't successful. Response status code varies depending on how the Access token is used for authentication: * If the token is used in Bearer Authentication, a {{302: REDIRECT}} is returned * If the token is used in Basic Authentication, a {{401: UNAUTHORIZED}} is returned, and repeated requests will eventually trigger Captcha as the system attempts to protect itself from bad actors. h3. Actual Results The call is successful and in this case, the content of the file is returned. h3. Workaround Access tokens are not meant to be used for non-REST or Git requests, so use a supported REST API or a Git request instead. In this case, the supported REST API to retrieve the content of the file would be {noformat} $BASE_URL/rest/api/latest/projects/<project_key>/repos/<repo_slug>/raw/file.txt{noformat} |
New:
h3. Issue Summary
This is reproducible on Data Center: Yes According to [the documentation|https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html], HTTP Access Tokens are designed to allow authentication for REST URLs and for Git hosting requests over HTTP, but they can be used to access URLs other than these too. This shouldn't be possible. h3. Steps to Reproduce # Create an HTTP Access token with REPO_READ permissions for a given repository # Access a non-REST or Git hosting request using this token for authentication. One such example is a non-REST endpoint for retrieving the raw content of a file, {{$BASE_URL/projects/<project_key>/repos/<repo_slug>/raw/file.txt}} h3. Expected Results The call isn't successful. Response status code varies depending on how the Access token is used for authentication: * If the token is used in Bearer Authentication, a {{302: FOUND}} is returned * If the token is used in Basic Authentication, a {{401: UNAUTHORIZED}} is returned, and repeated requests will eventually trigger Captcha as the system attempts to protect itself from bad actors. h3. Actual Results The call is successful and in this case, the content of the file is returned. h3. Workaround Access tokens are not meant to be used for non-REST or Git requests, so use a supported REST API or a Git request instead. In this case, the supported REST API to retrieve the content of the file would be {noformat} $BASE_URL/rest/api/latest/projects/<project_key>/repos/<repo_slug>/raw/file.txt{noformat} |