[BSERV-8875] Smart Commits - only run actions from commits authored by the pusher - Create and track feature requests for Atlassian products.

Type: Suggestion
Resolution: Answered
Fix Version/s: None
Component/s: AppLinks, Integration - JIRA
Labels:
- cvss-low
- security

Feedback Policy:

We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Currently Smart Commits parses every commit message and executes any actions as the author of that commit. This means a malicious person given access to your codebase can act as another user for Smart Commit actions, and instances that don't have this level of trust in the people writing their code can't use Smart Commits.

This suggestion is to introduce an option that will only execute actions on commits where the author's email address matches the email address of the Bitbucket Server user doing the push.

This means a pusher can't maliciously attribute actions to others, but also means that if a pusher is the first person to push someone else's commits to Bitbucket Server, those commits will never have their actions run.

Workaround

Bitbucket Server 5.0 includes the "Verify committer" repository hook that ensures all new commits are authored by the person pushing them. If you enable this hook, the pusher will not be able to perform actions on behalf of other users by faking commit data.

is related to

BSERV-2642 Push Traceability

Closed

relates to

BSERV-8914 Smart Commits - only run actions from commits authored by the pusher

Closed

mentioned in: Page Failed to load

Form Name

Roger Barnes (Inactive) added a comment - 15/May/2017 2:02 AM

Given the currently available workaround, it's unlikely we'd also make changes to only apply smart commits when authored by the same person that's pushing.

Please comment here if there are significant issues arising despite the workaround and we'll reconsider.

Roger Barnes (Inactive) added a comment - 15/May/2017 2:02 AM Given the currently available workaround, it's unlikely we'd also make changes to only apply smart commits when authored by the same person that's pushing. Please comment here if there are significant issues arising despite the workaround and we'll reconsider.

Adam Ahmed (Inactive) added a comment - 30/Jun/2016 4:04 AM - edited

njoneill that seems like a reasonable suggestion.

Just to manage expectations, it's worth noting that given our current implementation, it's not as trivial a change as it sounds (we don't have access to the pusher's identity in the right places).

Thanks for the suggestion!

Adam Ahmed (Inactive) added a comment - 30/Jun/2016 4:04 AM - edited njoneill that seems like a reasonable suggestion. Just to manage expectations, it's worth noting that given our current implementation, it's not as trivial a change as it sounds (we don't have access to the pusher's identity in the right places). Thanks for the suggestion!

Neil O'Neill added a comment - 29/Jun/2016 5:19 PM

A user has to authenticate to Bitbucket in order to perform a push, so Bitbucket has a confirmed identity for the user in this case. Could we have a mode in Bitbucket where this confirmed identity is used to provide the email address for commits, and the unconfirmed information coming from the git client is ignored? It seems that this would be a fix for this current issue and ~~BSERV-2717~~ as well.

Neil O'Neill added a comment - 29/Jun/2016 5:19 PM A user has to authenticate to Bitbucket in order to perform a push, so Bitbucket has a confirmed identity for the user in this case. Could we have a mode in Bitbucket where this confirmed identity is used to provide the email address for commits, and the unconfirmed information coming from the git client is ignored? It seems that this would be a fix for this current issue and BSERV-2717 as well.

Adam Ahmed (Inactive) added a comment - 29/Jun/2016 5:32 AM

This is a known and mostly unavoidable case due to Git's lack of real authentication of commits (unless you enforce signed commits). We'll be updating our docs shortly to mention this problem and give a better forewarning about the implications if you can't trust your committers.

Watch and vote on ~~BSERV-2717~~ for support for signed commit enforcement, which might be helpful for cases like this.

Cheers,
Adam

Adam Ahmed (Inactive) added a comment - 29/Jun/2016 5:32 AM This is a known and mostly unavoidable case due to Git's lack of real authentication of commits (unless you enforce signed commits). We'll be updating our docs shortly to mention this problem and give a better forewarning about the implications if you can't trust your committers. Watch and vote on BSERV-2717 for support for signed commit enforcement, which might be helpful for cases like this. Cheers, Adam

Details

Description

Workaround

Attachments

Issue Links

Forms

Activity

[BSERV-8875] Smart Commits - only run actions from commits authored by the pusher

Collapse comment: Roger Barnes (Inactive) added a comment - 15/May/2017 2:02 AM

Expand comment: Roger Barnes (Inactive) added a comment - 15/May/2017 2:02 AM

Collapse comment: Adam Ahmed (Inactive) added a comment - 30/Jun/2016 4:04 AM, Edited by Brent P - 24/Oct/2016 7:48 AM

Expand comment: Adam Ahmed (Inactive) added a comment - 30/Jun/2016 4:04 AM, Edited by Brent P - 24/Oct/2016 7:48 AM

Collapse comment: Neil O'Neill added a comment - 29/Jun/2016 5:19 PM

Expand comment: Neil O'Neill added a comment - 29/Jun/2016 5:19 PM

Collapse comment: Adam Ahmed (Inactive) added a comment - 29/Jun/2016 5:32 AM

Expand comment: Adam Ahmed (Inactive) added a comment - 29/Jun/2016 5:32 AM

People

Dates

Backbone Issue Sync