• Type: Suggestion
• Resolution: Answered
• Fix Version/s: None
• Component/s: AppLinks, Integration - JIRA
• Labels:

  • cvss-low
  • security

[BSERV-8875] Smart Commits - only run actions from commits authored by the pusher

Katherine Yabut made changes - 19/Sep/2019 5:50 AM

Workflow	Original: JAC Suggestion Workflow [ 3394927 ]	New: JAC Suggestion Workflow 3 [ 3623439 ]
Status	Original: RESOLVED [ 5 ]	New: Closed [ 6 ]

Monique Khairuliana (Inactive) made changes - 21/Aug/2019 12:44 AM

Workflow

Original: BSERV Suggestions Workflow [ 2683550 ]

New: JAC Suggestion Workflow [ 3394927 ]

Owen made changes - 04/Jun/2018 4:06 AM

Workflow	Original: Stash Workflow [ 1422571 ]	New: BSERV Suggestions Workflow [ 2683550 ]
Status	Original: Closed [ 6 ]	New: Resolved [ 5 ]

Roger Barnes (Inactive) made changes - 15/May/2017 2:02 AM

Resolution		New: Answered [ 9 ]
Status	Original: Open [ 1 ]	New: Closed [ 6 ]

Collapse comment: Roger Barnes (Inactive) added a comment - 15/May/2017 2:02 AM

Roger Barnes (Inactive) added a comment - 15/May/2017 2:02 AM

Given the currently available workaround, it's unlikely we'd also make changes to only apply smart commits when authored by the same person that's pushing.

Please comment here if there are significant issues arising despite the workaround and we'll reconsider.

Expand comment: Roger Barnes (Inactive) added a comment - 15/May/2017 2:02 AM

Roger Barnes (Inactive) added a comment - 15/May/2017 2:02 AM Given the currently available workaround, it's unlikely we'd also make changes to only apply smart commits when authored by the same person that's pushing. Please comment here if there are significant issues arising despite the workaround and we'll reconsider.

Brent P made changes - 12/May/2017 4:26 AM

Description

Original: Currently Smart Commits parses every commit message and executes any actions as the author of that commit. This means a malicious person given access to your codebase can act as another user for Smart Commit actions, and instances that don't have this level of trust in the people writing their code can't use Smart Commits. This suggestion is to introduce an option that will only execute actions on commits where the author's email address matches the email address of the Bitbucket Server user doing the push. This means a pusher can't maliciously attribute actions to others, but also means that if a pusher is the first person to push someone else's commits to Bitbucket Server, those commits will never have their actions run. h2. Workaround Bitbucket Server 5.0 includes a repository hook that requires all pushed commits come

New: Currently Smart Commits parses every commit message and executes any actions as the author of that commit. This means a malicious person given access to your codebase can act as another user for Smart Commit actions, and instances that don't have this level of trust in the people writing their code can't use Smart Commits. This suggestion is to introduce an option that will only execute actions on commits where the author's email address matches the email address of the Bitbucket Server user doing the push. This means a pusher can't maliciously attribute actions to others, but also means that if a pusher is the first person to push someone else's commits to Bitbucket Server, those commits will never have their actions run. h2. Workaround Bitbucket Server 5.0 includes the ["Verify committer" repository hook|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Server+5.0+release+notes#BitbucketServer5.0releasenotes-Committerverification] that ensures all new commits are authored by the person pushing them. If you enable this hook, the pusher will not be able to perform actions on behalf of other users by faking commit data.

Brent P made changes - 12/May/2017 4:21 AM

Description

Original: Currently Smart Commits parses every commit message and executes any actions as the author of that commit. This means a malicious person given access to your codebase can act as another user for Smart Commit actions, and instances that don't have this level of trust in the people writing their code can't use Smart Commits. This suggestion is to introduce an option that will only execute actions on commits where the author's email address matches the email address of the Bitbucket Server user doing the push. This means a pusher can't maliciously attribute actions to others, but also means that if a pusher is the first person to push someone else's commits to Bitbucket Server, those commits will never have their actions run.

New: Currently Smart Commits parses every commit message and executes any actions as the author of that commit. This means a malicious person given access to your codebase can act as another user for Smart Commit actions, and instances that don't have this level of trust in the people writing their code can't use Smart Commits. This suggestion is to introduce an option that will only execute actions on commits where the author's email address matches the email address of the Bitbucket Server user doing the push. This means a pusher can't maliciously attribute actions to others, but also means that if a pusher is the first person to push someone else's commits to Bitbucket Server, those commits will never have their actions run. h2. Workaround Bitbucket Server 5.0 includes a repository hook that requires all pushed commits come

Brent P made changes - 12/Apr/2017 1:32 AM

Remote Link

New: This issue links to "Page (Extranet)" [ 279462 ]

Adam Ahmed (Inactive) made changes - 21/Jul/2016 4:25 AM

Assignee

Original: Adam Ahmed [ aahmed ]

Adam Ahmed (Inactive) made changes - 07/Jul/2016 12:25 AM

Summary

Original: Smart Commits allow a user without permissions to a JIRA ticket to take action on that ticket as another user

New: Smart Commits - only run actions from commits authored by the pusher

Load more older events